They used a mix of a publicly available AppleScript disassembler and their proprietary decompiler solution to unearth the architecture of the sneaky malware. The silver lining is that experts at SentineLabs have found a way to overcome this obstacle.
#Macos malware years used runonly applescripts code#
It’s all about the use of run-only AppleScripts, a mechanism that makes it extremely problematic to reverse-engineer code because it’s deeply compiled and isn’t human-readable.
Whereas these are vanilla hallmarks seen across the mainstream cryptominer environment, one characteristic makes OSAMiner stand out from the crowd. Having infiltrated a macOS computer, it gobbles up CPU resources, causes the system to freeze, and keeps victims from opening the Activity Monitor.
It has been primarily doing the rounds via booby-trapped copies of pirated applications that run the gamut from popular video games to the Mac edition of the Microsoft Office suite. OSAMiner – a mysterious strain with obfuscation at its coreĪccording to a number of earlier reports by Chinese researchers, the cryptominer under scrutiny debuted in 2015. These latest insights into the pest’s modus operandi showed that it had taken a significant evolutionary leap in the past few months. This quirk had prevented security experts from reversing the code until January 2021, when SentinelOne made a breakthrough in disassembling and decompiling the malware. Its uniqueness stems from the use of what’s called run-only AppleScript files to download and execute the dodgy components.
These would have been garden-variety findings if it weren’t for the fact that the infection has been playing a hide-and-seek game with researchers since around 2015. White hats have demystified a five-year-old Mac cryptomining campaign that hinges on a hugely unorthodox technique to fly under the radar.Īnalysts at cybersecurity firm SentinelOne have recently shed light on a long-running macOS cryptomining malware strain codenamed OSAMiner.
0 kommentar(er)
