How to remove Silver Sparrow malware from the operating system
Written by Tomas Meskauskas on (updated)
What is Silver Sparrow malware?
Silver Sparrow is a malicious program targeting Mac OS operating systems. There are two versions of this malware, the key difference being the targeted OS architecture. Silver Sparrow's activity has been observed in the United States, United Kingdom, Canada, France, and Germany.
This malware is designed to operate as a 'backdoor' for malicious payloads. I.e., its goal is to infect devices with additional malware.
One variant of Silver Sparrow is designed for Intel x86_64 system architecture, the other for this as well as M1 ARM64. The latter is relatively new and, as such, is targeted somewhat less. As mentioned, this piece of malicious software is intended to infect systems with other malware, however, at the time of research, it has not been observed injecting compromised devices with any payloads. Therefore, the specific goals of cyber criminals behind Silver Sparrow are unknown. Likewise, it is unclear what potential damage the malware can cause. Additionally, some aspects of Silver Sparrow make its code easily modifiable, which makes it a versatile threat.
Note that this malware uses Amazon AWS - a legitimate service provided by Amazon Inc. - for its malicious purposes. This increases Silver Sparrow's chances of proliferation, as Amazon AWS offers suitable conditions for it (e.g., resilient file distribution and content delivery, etc.).
Malware capable of causing chain infections (i.e., has backdoor functionalities) can infect devices with a wide variety of malicious programs. Furthermore, malware can have varied capabilities in different combinations. For example, Trojans can function as backdoors, allow remote access and control over the infected machine, download content stored on the system, extract content/information from browsers and other installed applications, spy on users (e.g., monitor keystrokes, record/live-stream video and audio, take screenshots, etc.), and so on.
Ransomware operates by encrypting stored data and/or locking the device's screen for ransom purposes. Cryptominers use system resources (potentially to the point of system failure) to mine cryptocurrency.
To summarize, Silver Sparrow can cause multiple system infections and lead to severe privacy issues, data loss, device damage, financial losses, and identity theft.
If it is suspected/known that Silver Sparrow (or other malware) has already infected the system, use anti-virus software to remove it immediately.
Name | Silver Sparrow virus |
Threat Type | Mac malware, Mac virus, Trojan, password-stealing virus, banking malware, spyware. |
Detection Names (version 1 installer) | Avast (Other:Malware-gen [Trj]), F-Secure (Malware.OSX/Agent.smpwq), ESET-NOD32 (OSX/Agent.BL), Kaspersky (HEUR:Trojan-Downloader.OSX.Slisp.a), Full List Of Detections (VirusTotal) |
Detection Names (version 2 installer) | Avast (Other:Malware-gen [Trj]), F-Secure (Malware.OSX/Agent.rawsn), ESET-NOD32 (OSX/Agent.BL), Kaspersky (HEUR:Trojan-Downloader.OSX.Slisp.a), Full List Of Detections (VirusTotal) |
Symptoms | Trojan malware is designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
Distribution Methods | Infected email attachments, malicious online advertisements, social engineering, software 'cracks'. |
Damage | Stolen passwords and banking information, identity theft, the victim's computer added to a botnet. |
Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
ElectroRAT, OSAMiner, Eleanor, and XCSSET are some examples of other Mac malware. This malicious software can have an array of dangerous functionality, which can pose a correspondingly broad range of serious problems. The sole purpose of this software is to generate profit at users' expense.
Regardless of how malware operates, it is highly dangerous. To ensure device integrity and user safety, it is crucial to eliminate all threats immediately upon detection.
How did Silver Sparrow infiltrate my computer?
The exact method used to spread Silver Sparrow is unknown. Typically, malicious programs are proliferated through untrustworthy download channels (e.g., unofficial and free file-hosting websites, Peer-to-Peer sharing networks, and other third-party downloaders), illegal activation tools ("cracks"), fake updaters, and spam campaigns.
Malware (including ransomware) is usually distributed via malspam campaigns, unofficial software activation ('cracking') tools, Trojans, dubious file/software download sources, and fake software updating tools.
When cyber criminals attempt to distribute malware via malspam campaigns, they send emails that contain malicious attachments or download links for malicious files. Typically, they disguise their emails as official and important. If recipients open the attached file (or a file downloaded via a website link), they cause installation of malicious software.
Cyber criminals commonly attach executable files (.exe), archive files such as RAR, ZIP, PDF documents, JavaScript files and Microsoft Office documents to their emails. Software 'cracking' tools supposedly activate licensed software illegally (bypass activation), however, they often install malicious programs and do not activate any legitimate installed software.
Trojans are other rogue programs that can cause chain infections. I.e., when a Trojan is installed on the operating system, it can install additional malware.
Free file hosting websites, freeware download websites, Peer-to-Peer networks (e.g., torrent clients, eMule), unofficial websites, and third party downloaders are examples of other sources that are used to distribute malware. Cyber criminals disguise malicious files as legitimate and regular. When users download and open them, they inadvertently infect their computers with malware.
Fake software updating tools install malicious software rather than updates/fixes for installed programs, or they exploit bugs/flaws of outdated software that is installed on the operating system.
How to avoid installation of malware
Do not trust irrelevant emails that have files attached (or contain website links) and are received from unknown, suspicious addresses. Software should not be downloaded or installed through third party downloaders, installers, unofficial pages or other similar sources/tools.
Use only official websites and direct links. Installed software should never be updated or activated with third party, unofficial tools, since they can install malware. Furthermore, it is illegal to use third party tools to activate licensed software.
The only legitimate way to update and activate software is to use tools and functions that are provided by the official developers. Regularly scan your computer with reputable antivirus or anti-spyware software and keep this software up to date.
If your computer is already infected with malware, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.
Screenshot of VirusTotal detections of the installer distributing the second version of Silver Sparrow malware:
Update 2 March 2021 - It is likely that Silver Sparrow infects computers via adware or advertisements, third-party offers during the installation processes of certain programs. It is known that the purpose of Silver Sparrow is to infect computers with additional malware, but the payload is still unknown.
Whatever it is, it cannot be configured because the configuration file is hosted in AWS S3. Note also that Silver Sparrow uninstalls itself once the "~/Library/._insu" file appears in the system. It is likely that this file is generated when there is nothing more to gain from the infected machine.
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is "Silver Sparrow"?
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
You are advised not to use Peer-to-Peer networks (such as eMule, torrent clients, etc.), unofficial websites, third party downloaders, installers, etc. to download or install software or files. Use official pages and direct links.
Check download/installation set-ups for settings such as "Advanced", "Manual, or "Custom" (or include certain checkboxes) and decline offers to download or install unwanted apps before completing the process.
Additionally, do not trust or click advertisements that are displayed on dubious web pages - they can open other rogue sites or cause unwanted downloads and installations.
Remove any suspicious or unknown extensions, add-ons and plug-ins installed on the browser. The same applies to software of this kind that is installed on the operating system
▼ Show Discussion