Detect & Remove Silver Sparrow

!Clean_Silver_Sparrow.md

What is Silver Sparrow?

https://redcanary.com/blog/clipping-silver-sparrows-wings/

Running the cleaner

Past this in a Terminal window:

curl -s https://gist.githubusercontent.com/davidrapin/f74010691e9a08ab9ca225949e622bba/raw/03d1927c01178bd44416da70f464a2d8a34d8b52/ssp-clean.sh | bash -s --

ssp-clean.sh

#!/bin/bash
# Written by David R. on 2021-02-22
# Source: https://gist.github.com/davidrapin/f74010691e9a08ab9ca225949e622bba

# list of suspicious files
files=(
  "~/Library/._insu"
  "~/Library/LaunchAgents/verx.plist"
  "~/Library/LaunchAgents/init_verx.plist"
  "/tmp/version.json"
  "/tmp/version.plist"
  "/tmp/verx"
  "/tmp/agent.sh"
  "~/Library/Application Support/verx_updater"
)

found=0
failed=0
echo "Silver Sparrow Remover (2021-02-22)"
for f in "${files[@]}"
do
  : 
  # manual tilde expansion
  file="${f//\~/$HOME}"
  
  # check if file exists
  if [[ -e "$file" ]]; then
    ((found=found+1))

    # try to delete the file
    if rm -rf "$file"; then
      echo "[REMOVED (was present)]: $file"
    else
      ((failed=failed+1))
      echo "[FOUND & CANNOT REMOVE]: $file"
    fi
  else
      echo "[NOT FOUND (good news)]: $file"
  fi  
done

if [ "$found" = "0" ]; then
  echo "DONE. You were not infected."
else
  if [ "$failed" = "0" ]; then
    echo "DONE. You were infected, but all $found suspicious files have been removed."
  else
    echo "DONE. You are infected: $failed out of $found suspicious files could not be removed."
  fi
fi