![]() It is called several times throughout the script, and is used to deobfuscate hex strings throughout the script. One of the most interesting functions found right away is the decoding function built into the script. Now that we have both the parent script and the embedded script, we can work on disassembling them, to see what each does. This is a new trick for OSAMiner, compared to previous versions we have seen, and makes automated analysis of the malware even more difficult. That, combined with the knowledge of Apple's magic strings at the beginning and end of an AppleScript, allow us to identify the second run-only AppleScript hidden in this file. This file is a little more difficult to analyze, however, a little digging will uncover some hex code in this file. This line is using do shell script to call the com.apple.4V.plist script in the ~/Library/LaunchAgents/ directory.Īs it turns out, com.apple.4V.plist is not a Property List file, but a run-only AppleScript file. However, line 13 is what is especially interesting in this script, because it starts us down the path to truly analyzing this malware. The repeated use of osascript is highly unusual, which draws attention here, and also gives us the name OSAMiner as this is using Open Scripting Architecture scripts to accomplish its goals. The array in lines 10-14 is very telling. This file is simple, but gives away a key file used in these cryptojacking attacks. plist file extension, only one is a legitimate Property List file, so we'll start there. While several of the files associated with OSAMiner are Property List files, with the. Hopefully, other macOS malware campaigns hinging on similar trickery will no longer be hiding in plain sight so efficiently down the road.Analysis of the Embedded Run-Only AppleScript With the new detection method in analysts’ toolkit, this cryptominer will likely become more detectable across the AV spectrum. It turns out that OSAMiner operators have recently switched to a tactic where one run-only AppleScript file is embedded in another – as if the one-step obfuscation hadn’t been effective enough for years. They used a mix of a publicly available AppleScript disassembler and their proprietary decompiler solution to unearth the architecture of the sneaky malware. The silver lining is that experts at SentineLabs have found a way to overcome this obstacle. It’s all about the use of run-only AppleScripts, a mechanism that makes it extremely problematic to reverse-engineer code because it’s deeply compiled and isn’t human-readable. Whereas these are vanilla hallmarks seen across the mainstream cryptominer environment, one characteristic makes OSAMiner stand out from the crowd. Having infiltrated a macOS computer, it gobbles up CPU resources, causes the system to freeze, and keeps victims from opening the Activity Monitor. It has been primarily doing the rounds via booby-trapped copies of pirated applications that run the gamut from popular video games to the Mac edition of the Microsoft Office suite. OSAMiner – a mysterious strain with obfuscation at its coreĪccording to a number of earlier reports by Chinese researchers, the cryptominer under scrutiny debuted in 2015. These latest insights into the pest’s modus operandi showed that it had taken a significant evolutionary leap in the past few months. This quirk had prevented security experts from reversing the code until January 2021, when SentinelOne made a breakthrough in disassembling and decompiling the malware. Its uniqueness stems from the use of what’s called run-only AppleScript files to download and execute the dodgy components. ![]() These would have been garden-variety findings if it weren’t for the fact that the infection has been playing a hide-and-seek game with researchers since around 2015. White hats have demystified a five-year-old Mac cryptomining campaign that hinges on a hugely unorthodox technique to fly under the radar.Īnalysts at cybersecurity firm SentinelOne have recently shed light on a long-running macOS cryptomining malware strain codenamed OSAMiner.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |