![]() ![]() The malware has also evolved recently and has primarily targeted users in China and Asia-Pacific. For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware. When users downloaded the affected apps, an AppleScript would be downloaded which would run a second AppleScript, which would, in turn, download the third AppleScript. SentinelOne noted that run-only AppleScripts are rarely used for macOS malware, but OSAMiner showed that they are incredibly powerful for malicious intents and can be used to remain hidden from detection: These “run-only” AppleScripts made it easier for OSAMiner to avoid detection over the years. Read the original article: macOS malware used run-only AppleScripts to avoid detection for five years The macOS. Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis. The purveyors of such arguments typically make a big deal of trying to undermine any argument that security is an issue on macOS by claiming that malware on. ![]() In this case, we have not seen the actor use any of the more powerful features of AppleScript that we’ve discussed elsewhere, but that is an attack vector that remains wide open and which many defensive tools are not equipped to handle. In the event that other threat actors begin picking up on the utility of leveraging run-only AppleScripts, we hope this research and the tools discussed above will prove to be of use to analysts. For more than five years, macOS users have been aiming for a malicious malware. Now that OSAMiner has been detected and its complex architecture has been reverse engineered, it will help other researchers in finding any other hidden “run only” AppleScript malware. to retrieve the entire malware code that uses nested Run-Only AppleScript. YEARS RUNONLY APPLESCRIPTS AVOID DETECTION FOR FREE.YEARS RUNONLY APPLESCRIPTS AVOID DETECTION FOR CODE.YEARS RUNONLY APPLESCRIPTS AVOID DETECTION FOR SOFTWARE.To keep yourself safe from such malware, make sure that you only download apps from trustworthy sources. Why Have the Good Guys Ignored AppleScript? Worryingly, given the lack of attention paid to AppleScript in the research community, that is all without even leveraging some of AppleScript’s most powerful or unique features, some of which we’ll cover below (others I’ve written about before here). This includes its use in adware, its use for tasks such as persistence, anti-analysis, browser hijacking, spoofing and more. There is much less attention in the security field on AppleScript – a built-in macOS technology – despite the fact it’s been around for as long as Python and predates macOS 10 itself by 8 or 9 years.Īs I’ll show in this post, AppleScript is widely used by offensive actors. YEARS RUNONLY APPLESCRIPTS AVOID DETECTION FOR SOFTWAREįor more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.When we think about security on macOS and the tools used by offensive actors, whether those are real in the wild attacks or red team exercises, we tend to think of things like python scripts, shell scripts, malicious documents, shady extensions and of course, the fake, doctored or trojan application bundle. Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week. “OSAMiner has been active for a long time and has evolved in recent months,” a SentinelOne spokesperson told ZDNet in an email interview on Monday. “From what data we have it appears to be mostly targeted at Chineses/Asia-Pacific communities,” the spokesperson added. ![]() Nested run-only AppleScripts, for the win!īut the cryptominer did not go entirely unnoticed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |