![]() ![]() Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week.įor more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. "OSAMiner has been active for a long time and has evolved in recent months," a SentinelOne spokesperson told ZDNet in an email interview on Monday. "From what data we have it appears to be mostly targeted at Chineses/Asia-Pacific communities," the spokesperson added. ![]() Nested run-only AppleScripts, for the win!īut the cryptominer did not go entirely unnoticed. SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively.īut their reports only scratched the surface of what OSAMiner was capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday. The primary reason was that security researchers weren't able to retrieve the malware's entire code at the time, which used nested run-only AppleScript files to retrieve its malicious code across different stages.Īs users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript. Since "run-only" AppleScript come in a compiled state where the source code isn't human-readable, this made analysis harder for security researchers. Yesterday, Stokes published the full-chain of this attack, along with indicators of compromise (IOCs) of past and newer OSAMiner campaigns. Stokes and the SentinelOne team hope that by finally cracking the mystery surrounding this campaign and by publishing IOCs, other macOS security software providers would now be able to detect OSAMiner attacks and help protect macOS users. MacOS.OSAMiner can parse the output of the native system_profiler tool to determine if the machine is running with 4 cores."Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis," Stokes concluded in his report yesterday. Virtualization/Sandbox Evasion: System Checks MacOS.OSAMiner has used launchctl to restart the Launch Agent. MacOS.OSAMiner can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility df. MacOS.OSAMiner has used ps ax | grep | grep -v grep |. OSAMiner was first detected in 2015 and is still successfully used by cyber criminals due to its complex structure (use of run-only AppleScript files), which. Years runonly applescripts to avoid detection software However, it is quite clear that using pirated software will ensure the malware continues to have vulnerable Apple macOS computers.Apple said the new Rage 128 Pro graphics card added to all G4 models will deliver a 40 percent increase in 3D graphics performance. MacOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads. Obfuscated Files or Information: Embedded Payloads MacOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection. ![]() Obfuscated Files or Information: Stripped Payloads ![]() MacOS.OSAMiner has used curl to download a Stripped Payloads from a public facing adversary-controlled webpage. macOS.OSAMiner also searches the operating system's install.log for apps matching its hardcoded list, killing all matching process names. MacOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. MacOS.OSAMiner has placed a Stripped Payloads with a plist extension in the Launch Agent's folder. Ĭreate or Modify System Process: Launch Agent MacOS.OSAMiner has used osascript to call itself via the do shell script command in the Launch Agent. Enterprise Layer download view Techniques Used DomainĬommand and Scripting Interpreter: AppleScript ![]()
0 Comments
Leave a Reply. |