![]() The researchers say that once the malware has compromised a macOS device, it will seek to kill several processes, including Activity Monitor, which prevents the user from inspecting resource usage. A script that downloads and sets up XMR-STAK-RX, a free, open-source monero RandomX miner software package.An anti-analysis AppleScript to perform evasion tasks from certain consumer-level monitoring and cleanup tools.A parent script for gathering the device serial number and for killing all the running processes in the device.A script to ensure persistence for the parent script.Once those embedded scripts were decompiled, the researchers determined the malware uses four methods to execute the run-only AppleScript: The Sentinel Labs team found the malware authors had embedded additional characters to obfuscate its processes. To decompile the malicious malware scripts, Sentinel Labs researchers had to use a relatively lesser-known AppleScript-disassembler project and another custom tool developed by the security firm. ![]() OSAMiner uses run-only AppleScripts to make reverse-engineering of its code difficult, the researchers say. "Recent versions of macOS.OSAMiner add greater complexity by embedding one run-only AppleScript inside another, further complicating the already difficult process of analysis." Security Evasion "In late 2020, we discovered that the malware authors, presumably building on their earlier success in evading full analysis, had continued to develop and evolve their techniques," says Phil Stokes, a threat researcher at Sentinel Labs. OSAMiner's operators released the latest version of the cryptominer in 2020, but researchers only recently discovered the enhancements, according to the researchers' report. The malware now uses multiple versions of AppleScript - a scripting language used in macOS devices - to support obfuscation. OSAMiner, which has been active since 2015, has been distributed through hacked video games, such as League of Legends, as well as compromised versions of software packages, including Microsoft Office for macOS, Sentinel Labs says. The latest iteration uses new techniques to help prevent detection by security tools, the researchers report. See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases An AppleScript feature designed to compress scripts into pre-compiled form has allowed bad actors to evade security researchers for years.Sentinel Labs researchers have identified an updated version of the cryptominer OSAMiner that targets the macOS operating system to mine for monero. This cryptominer Trojan spread unchecked for some five years. So-called run-only scripts-what we might today call “bytecode”-are poorly documented and difficult to analyze. So it’s hard to extract indicators of compromise out of malware obfuscated by them. What can DevOps learn from this? In this week’s Security Blogwatch, we learn lessons (not “learnings”). Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: What everyone really wants. What’s the craic? Ionut Ilascu reports- Mac malware uses 'run-only' AppleScripts to evade analysis: A cryptocurrency mining campaign … is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it. Has been in the wild since at least 2015. ![]() Yet analyzing it is difficult because … it embeds a run-only AppleScript into another script and uses URLs in public web pages to download the actual … payloads. Run-only AppleScript … makes decompiling them into source code a tall order. MACOS MALWARE YEARS USED RUNONLY DETECTION CODE ![]() … Security researchers at SentinelOne … were able to reverse engineer some samples they collected by using a lesser-known AppleScript disassembler (Jinmo’s applescript-disassembler) and a decompiler tool developed internally.Īnd Catalin Cimpanu adds- macOS malware used run-only AppleScripts to avoid detection for five years: A sneaky malware operation … used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. ![]() Named OSAMiner, the malware has been distributed in the wild since at least 2015. "OSAMiner has been active for a long time and has evolved in recent months," a SentinelOne spokesperson. MACOS MALWARE YEARS USED RUNONLY DETECTION CODE. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |