![malware used runonly applescripts to avoid malware used runonly applescripts to avoid](https://img.bhs4.com/C3/C/C3CCC426AD1BC2F8DA806B7E555D3D6977F7F2D2_large.jpg)
- #Malware used runonly applescripts to avoid zip file#
- #Malware used runonly applescripts to avoid manual#
- #Malware used runonly applescripts to avoid software#
- #Malware used runonly applescripts to avoid download#
SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively. But the cryptominer did not go entirely unnoticed.
#Malware used runonly applescripts to avoid software#
Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week. The post Malware Analysis Spotlight: OSAMiner Uses Run-Only AppleScripts to Evade Detection appeared first on VMRay.An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.
![malware used runonly applescripts to avoid malware used runonly applescripts to avoid](https://4.bp.blogspot.com/-iRL3Gxbu2tI/WNs5AcMl6HI/AAAAAAAAECs/IwAtyxHOUtEt4A0zC7MEh-_cyZuhzrPVgCLcB/s1600/image14.png)
Hxxp://ondayoncom:8080/ondayon.png (possibly backup URL)ĪV Detection Script embedded in First Stage 360 And for deeper analysis, the second and third stages are visible and available from the VMRay Analyzer Report.
#Malware used runonly applescripts to avoid manual#
Within 2 minutes of analysis time, analysts can see a majority of the sample’s behavior, compared to hours of manual reverse engineering. Running the sample in VMRay gives analysts an immediate view into the key behaviors, characteristics, and IOCs. This file type won’t have a problem running on a victim’s machine but it is difficult for security teams to analyze because of the inherent obfuscation and limited tooling available. In addition, the second stage uses the system tool “caffeinate” to prevent the machine from going to sleep while the first stage will continuously query the running processes for common AV programs using the ps command: sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk ''Īll of these actions are performed using sub-processes so they can be observed in the process graph and process overview.Īs we can see, this sample uses a different kind of evasion, using a rather uncommon file type, a compiled AppleScript, disguised as a PLIST file.
#Malware used runonly applescripts to avoid zip file#
The third stage is a zip file containing two dynamic libraries (dylibs) and finally a Mach-O binary, again disguised as a PLIST which can be clearly seen in the Files Tab.
#Malware used runonly applescripts to avoid download#
![malware used runonly applescripts to avoid malware used runonly applescripts to avoid](https://cdn.ithinkdiff.com/wp-content/uploads/2021/01/OSAMiner-600x314.jpg)
The second stage is another compiled AppleScript stored at ~/Library/11.png. The second one might be a fallback or used by another variant of the family. Interestingly, there are two URLs that were returned. The first request to budaybu100001com:8080 returns the second-stage URL embedded in the string “-=-=-=” as a marker. The Network Tab shows multiple C2 connections. Now we can dig deeper into each of these characteristics. From the Overview Tab, we can see the main behaviors of the sample including network connectivity, file dropping behavior, and system information gathering. Straight away, we see that a number of VMRay Threat Identifier (VTI) rules hit and the sample is classified as malicious. The “com.apple.4V.plist” file is placed in ~/Library/LaunchAgents by the original dropper and disguised as a Property list configuration file (PLIST) while it is in fact a compiled AppleScript. Note, at the time of analysis this sample of OSAMiner had a 2/60 detection rate on VirusTotal. In this Malware Analysis Spotlight, we will showcase the key behaviors identified during the dynamic analysis. We analyzed one of the latest samples “ com.apple.4V.plist” using VMRay Analyzer. In 2020, the SentinelLabs Team discovered that the malware authors were evolving their evasion techniques, adding more complexity by embedding one run-only AppleScript inside another. The authors of macOS.OSAMiner used run-only AppleScripts which made attempts at further analysis more difficult. This week the team at SentinelLabs released an in-depth analysis of macOS.OSAMiner, a Monero mining trojan infecting macOS users since 2015.