![]() For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week. “OSAMiner has been active for a long time and has evolved in recent months,” a SentinelOne spokesperson told ZDNet in an email interview on Monday. “From what data we have it appears to be mostly targeted at Chineses/Asia-Pacific communities,” the spokesperson added. ![]() Nested run-only AppleScripts, for the win!īut the cryptominer did not go entirely unnoticed. SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively.īut their reports only scratched the surface of what OSAMiner was capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday. The primary reason was that security researchers weren’t able to retrieve the malware’s entire code at the time, which used nested run-only AppleScript files to retrieve its malicious code across different stages.Īs users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript. Since “run-only” AppleScript come in a compiled state where the source code isn’t human-readable, this made analysis harder for security researchers. Macos malware years runonly applescripts to code# Yesterday, Stokes published the full-chain of this attack, along with indicators of compromise (IOCs) of past and newer OSAMiner campaigns. Stokes and the SentinelOne team hope that by finally cracking the mystery surrounding this campaign and by publishing IOCs, other macOS security software providers would now be able to detect OSAMiner attacks and help protect macOS users. Macos malware years runonly applescripts to software# “In this case, we have not seen the actor use any of the more powerful features of AppleScript that we’ve discussed elsewhere, but that is an attack vector that remains wide open and which many defensive tools are not equipped to handle.” “Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis,” Stokes concluded in his report yesterday. Macos malware years runonly applescripts to code#.Macos malware years runonly applescripts to software#.December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat.Adversary Infrastructure Report 2020: A Defender’s View.Introducing – the first website ‘exclusively dedicated’ to revealing security vulnerabilities in malware.Windows 10 bug corrupts your hard drive on seeing this file’s icon.Misconfigurations in Spring Data projects could leave web apps open to abuse.Microsoft fixes Defender zero-day in January 2021 Patch Tuesday.macOS malware used run-only AppleScripts to avoid detection for five years.Data breach at New Zealand’s Reserve Bank after third-party service hack.Ubiquiti urges password reset in response to third-party breach.Police took down DarkMarket, the world’s largest darknet marketplace.What happens when a Chrome extension with 2m+ users changes hands, raises red flags, doesn’t document updates? Let’s find out.Ryuk ransomware Bitcoin wallets point to $150 million operation.Some ransomware gangs are going after top execs to pressure companies into paying.Google reveals sophisticated Windows and Android hacking operation.CISA: Hackers bypassed MFA to access cloud service accounts.Mimecast are investigating the hack after Microsoft noticed it and notified them. They allowed attackers to access some clients’ Microsoft 365 account. Yet another supply chain attack… A “sophisticated threat actor” stole digital certificates from the email management company Mimecast. Mimecast says hackers abused one of its certificates to access Microsoft accounts
0 Comments
Leave a Reply. |