![]() The hope for this team of researchers is that they can crack the mystery around this clever malware.Įlon Musk fires Twitter CEO and CFO after €44 billion acquisition Phil Stokes, a macOS malware researcher at SentinelOne, published the attack’s full-chain with past and present OSAMiner campaigns and IOCs (Indicators of Compromise). It would then download and run a second run-only AppleScript and then run another third/final one.īecause the run-only AppleScript is received in a compiled state (the source code is not readable by humans), security researchers’ analysis was not easy. When the users installed their pirated software, the disguised installers would download and run a run-only AppleScript. It used nested run-only AppleScript files to retrieve its malicious code across different stages at the time. The reason was that the researchers were unable to retrieve the malware’s full code. However, the reports written after this were not very detailed and did not capture the full extent of OSAMiner’s capabilities. Back in 2018 August and September, two Chinese security firms analyzed an older version of the Malware. However, the crypto miner did not completely avoid detection. Not too invisibleįrom the data collected, it seems that it attacked people in Chinese and Asian Pacific communities mostly. OSAMiner has been active for a while and has evolved in recent times, according to a SentinelOne spokesperson. According to SentinelOne, a security firm, which published a report this week. It is disguised in pirated (cracked) games and software like League of Legends and Microsoft Office for Mac. The malware has been distributed in the wild since at least 2015 and has been named OSAMiner. However, it is quite clear that using pirated software will ensure the malware continues to have vulnerable Apple macOS computers.In the last five years (perhaps more), macOS users have been targeted by a sneaky malware operation, which used a clever trick, making it virtually invisible, while hijacking hardware resources on infected machines to mine cryptocurrency. It reveals the full-chain of this attack, along with Indicators Of Compromise (IOCs) of past and newer OSAMiner campaigns. SentinelOne macOS malware researcher Phil Stokes has published a detailed report. Apparently, the third AppleScript contained the actual OSAMiner malware or “payload”. This script would silently download and run a second run-only AppleScript, and then another final third run-only AppleScript. Īs users installed the pirated software, the malware installer would silently download and run a run-only AppleScript. Mac malware OSAMiner has released a variant that uses multiple 'run-only' AppleScripts, making it difficult to detect and analyze. Incidentally, the malware’s initial size was quite small. It seems the creators of the malware obtained different variants of pirated software and injected the malware inside. As piracy is common in Southeast Asia, the malware was quite active in these regions. How did the malware infect and spread on an Apple macOS computer?Īs mentioned earlier, the OSAMiner malware creators depended heavily on the distribution, download, and widespread use of illegally obtained and cracked software. Although a heightened security measure, this makes analysis a lot harder for external or third-party security researchers. In other words, the source code isn’t human-readable. This was because the malware used nested run-only AppleScript files to retrieve its malicious code across different stages.ĪppleScripts arrive in a compiled state. Incidentally, security researchers weren’t able to retrieve the malware’s entire code when they had sensed its activities back in 2018. Red Siege Information Security January 12, 2021 Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac. From what data we have it appears to be mostly targeted at Chinese/Asia-Pacific communities.” “OSAMiner has been active for a long time and has evolved in recent months. The distribution is active since at least 2015, indicated security firm SentinelOne in a report published this week. SentinelOne's analyses the OSAMiner macOS cryptocurrency-mining malware that, thanks to its use of run-only AppleScripts, stayed under the radar for a long time also open sources the AEVT decompiler tool /TqIAl8QcmrĪccording to security researchers, the OSAMiner malware was distributed inside pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac. The creators of the malware used processes that were specifically designed to evade detection and analysis by security researchers. The OSAMiner hijacked the hardware resources of infected users to mine cryptocurrency.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |