![]() “ĬIOs are available in the SentinelOne OSAMiner report, here. , but it is an attack vector that remains wide open and that many defensive tools are not equipped to handle. “In this case, we haven’t seen the actor use any of AppleScript’s most powerful features we’ve discussed elsewhere. AppleScripts to be executed only may be for evasion and anti-analysis, ”Stokes concluded in his report yesterday. “Runtime-only AppleScripts are surprisingly rare in the macOS malware world, but the longevity and lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful it is. Stokes and the SentinelOne team hope that by finally solving the mystery surrounding this campaign and issuing IOCs, other macOS security software vendors would now be able to detect OSAMiner attacks and help protect users from macOS. Yesterday, Stokes released the full chain of this attack, along with Indicators of Compromise (IOCs) from past and recent OSAMiner campaigns. The main reason was that security researchers weren’t able to recover the full code of the malware back then, which used executable embedded AppleScript files only to retrieve its malicious code at various stages.Īs users installed the pirated software, the tricked installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, then another third run-only AppleScript.Īs AppleScript “run-only” is in a compiled state where the source code is not human readable, this made analysis more difficult for security researchers. ![]() SentinelOne said two Chinese security companies spotted and analyzed older versions of OSAMiner in August and September 2018, respectively.īut their reports have only scratched the surface of what OSAMiner is capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday. For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the. Dropped app bundles and the malicious AppleScript file. An effort to reverse-engineer malicious AppleScript has led to the creation of a tool to analyze run-only malware targeting the Mac operating system, undermining a common. Nested AppleScripts, for the win!īut the cryptominer hasn’t gone entirely unnoticed. Xcode is an integrated development environment (IDE) used in macOS for developing Apple-related. “From the data we have, it appears to be primarily aimed at Chinese / Asia-Pacific communities,” the spokesperson added. “OSAMiner has been active for a long time and has evolved in recent months,” said a spokesperson for SentinelOne. For more than five years, macOS users have been the target of a sneaky malicious operation that used a clever trick to evade detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.Īppointed OSAMiner, the malware has been distributed in the wild since at least 2015 disguised as pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report released this week.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |