"The setup script includes pool address, password and other configuration information but no wallet address," the researchers say in a report today, adding that it also uses the "caffeinate" tool to prevent the machine from entering sleep mode.Īccording to Sentinel One, the second script is intended to prevent analysis and evade detection. Its purpose is to download the open-source XMR-Stak Monero miner that works on Linux, Windows, and macOS. This was the third run-only AppleScript, downloaded to the ~/Library/11.PNG. However, Sentinel One was able to find an active one ( and noticed that the malware parsed a link in the source code of the page that pointed to a PNG image. The researchers say that the main script also sets up a persistence agent and downloads the first stage of the miner from a URL set on a public page. Other tasks it runs include collecting the serial number of the device, restarting the 'launchctl' job responsible for loading and unloading daemons or agents, and to kill the Terminal application. It also checks if the machine has enough free space and exits if there isn't sufficient storage. The main role of the parent script is to write the embedded AppleScript to ~/Library/k.plist using a "do shell script" command and execute it. The recent OSAMiner campaigns use three run-only AppleScript files to deploy the mining process on the infected macOS machine, Sentinel One found:Ī parent script that executes from the trojanized application However, they were able to reverse engineer some samples they collected by using a less-known AppleScript disassembler ( Jinmo’s applescript-disassembler) and a decompiler tool developed internally called aevt_decompile. Security researchers at Sentinel One discovered at the end of 2020 a new sample of OSAMiner that complicated "the already difficult process of analysis." The malware has been researched in the past but the run-only AppleScript file hindered full analysis, limiting it to observing the behavior of the sample.ĪppleScript files include both the source and the compiled code but enabling "run-only" saves only the compiled version so the human-readable code is no longer available, thus removing the possibility of reverse engineering. OSAMiner typically spreads via pirated copies of games and software, League of Legends and Microsoft Office for macOS being among the more popular examples. Yet, analyzing it is difficult because payloads are exported as run-only AppleScript files, which makes decompiling them into source code a tall order.Ī recently observed variant makes analyzing even more difficult as it embeds a run-only AppleScript into another scripts and uses URLs in public web pages to download the actual Monero miner. The malware is tracked as OSAMiner and has been in the wild since at least 2015. Mac malware uses 'run-only' AppleScripts to evade analysisĪ cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it.
0 Comments
Leave a Reply. |