Viewing a single comment thread. View all comments

naut wrote

About the lack of executable (emphasis mine):

The first version of Silver Sparrow malware (updater.pkg MD5: 30c9bc7d40454e501c358f77449071aa) that we analyzed contained an extraneous Mach-O binary (updater MD5: c668003c9c5b1689ba47a431512b03cc), compiled for Intel x86_64 that appeared to play no additional role in the Silver Sparrow execution. Ultimately this binary seems to have been included as placeholder content to give the PKG something to distribute outside the JavaScript execution. It simply says, “Hello, World!” (literally!)

Here's the full analysis from the group that discovered the malware.

3