Serafim
Advanced
- Joined
- 28.09.20
- Messages
- 130
- Reaction score
- 1,196
- Points
- 93
macOS users have been attacked for at least five years by the osaminer malware, which skillfully evaded detection using AppleScript technology.
macOS-based computers have long been used by scammers for hidden cryptocurrency mining. For five years, the osaminer program managed to avoid detection, according to cybersecurity experts from SentinelOne.
As reported, the malware, called osaminer, appeared on the network no later than 2015. It was distributed disguised in pirated (hacked) games and other software products, including League of Legends and Microsoft Office for Mac.
According to available data, geographically osaminer is mainly focused on China and the Asia-Pacific region. Its activity there did not go completely unnoticed: in August and September 2018, two Chinese firms discovered and analyzed old versions of osaminer. But their reports didn't give a complete picture of osaminer's capabilities, said Phil Stokes, a macOS malware researcher at SentinelOne.
A study conducted in SentinelOne allowed us to find out the reason for such difficulties. As it turned out, osaminer loads its code in parts, using composite AppleScript files with the run-only status. The run-only option allows you to run the AppleScript control script as an application without entering edit mode and thus hide its source code.
Stokes and the SentinelOne team hope that by publishing the full chain of this attack, as well as hacking indicators (IOCs) for old and new versions of osaminer, it will help macOS security vendors detect such attacks and protect macOS users from them.
macOS-based computers have long been used by scammers for hidden cryptocurrency mining. For five years, the osaminer program managed to avoid detection, according to cybersecurity experts from SentinelOne.
As reported, the malware, called osaminer, appeared on the network no later than 2015. It was distributed disguised in pirated (hacked) games and other software products, including League of Legends and Microsoft Office for Mac.
According to available data, geographically osaminer is mainly focused on China and the Asia-Pacific region. Its activity there did not go completely unnoticed: in August and September 2018, two Chinese firms discovered and analyzed old versions of osaminer. But their reports didn't give a complete picture of osaminer's capabilities, said Phil Stokes, a macOS malware researcher at SentinelOne.
A study conducted in SentinelOne allowed us to find out the reason for such difficulties. As it turned out, osaminer loads its code in parts, using composite AppleScript files with the run-only status. The run-only option allows you to run the AppleScript control script as an application without entering edit mode and thus hide its source code.
Stokes and the SentinelOne team hope that by publishing the full chain of this attack, as well as hacking indicators (IOCs) for old and new versions of osaminer, it will help macOS security vendors detect such attacks and protect macOS users from them.