![]() ![]() ![]() Now that OSAMiner has been detected and its complex architecture has been reverse engineered, it will help other researchers in finding any other hidden “run only” AppleScript malware. In the event that other threat actors begin picking up on the utility of leveraging run-only AppleScripts, we hope this research and the tools discussed above will prove to be of use to analysts. In this case, we have not seen the actor use any of the more powerful features of AppleScript that we’ve discussed elsewhere, but that is an attack vector that remains wide open and which many defensive tools are not equipped to handle. Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis. For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. SentinelOne noted that run-only AppleScripts are rarely used for macOS malware, but OSAMiner showed that they are incredibly powerful for malicious intents and can be used to remain hidden from detection: These “run-only” AppleScripts made it easier for OSAMiner to avoid detection over the years. When users downloaded the affected apps, an AppleScript would be downloaded which would run a second AppleScript, which would, in turn, download the third AppleScript. To reverse the above step, go back to the Terminal and use: The main gotcha to remember after doing this is you won’t see Catalina updates, and even if you go to the App Store and try to. The malware has also evolved recently and has primarily targeted users in China and Asia-Pacific. If you keep System Preferences in the Dock, you’ll notice that even after the previous step you still have the eye-catching red banner alert on the Dock. OSAMiner has been active since 2015, secretly mining cryptocurrency on affected Macs. OSAMiner has been secretly mining cryptocurrency on affected Macs ![]() Once users would download and install infected software, OSAMiner would use run-only AppleScripts to embed itself into the system. A sneaky macOS malware called OSAMiner had been infecting Macs without anyone noticing, by hiding using AppleScripts and mining cryptocurrency, since 2015.Īs per security firm SentinelOne, OSAMiner had been distributed using pirated versions of Mac game like League of Legends (which is usually available to download for free), and Microsoft Office. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |