MacOS Malware Used Run-Only AppleScripts To Prevent Detection For Five Years (Slashdot)
A confidential reader prices estimate a report from ZDNet: For more than five years, macOS users have been the targets of a sly malware operation that used a clever technique to prevent detection and pirated the hardware resources of contaminated users to mine cryptocurrency behind their backs. Called OSAMiner, the malware has been dispersed in the wild since a minimum of 2015 camouflaged in pirated (broken) video games and software application such as League of Legends and Microsoft Workplace for Mac, security firm SentinelOne stated in a report published this week. But the cryptominer did not go completely undetected. SentinelOne stated that 2 Chinese security firms spotted and evaluated older versions of the OSAMiner in August and September 2018, respectively. But their reports only scratched the surface area of what OSAMiner can, SentinelOne macOS malware scientist Phil Stokes stated the other day. The main factor was that security scientists weren’t able to retrieve the malware’s whole code at the time, which utilized nested run-only AppleScript files to retrieve its harmful code across different phases. As users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another last third run-only AppleScript. Considering that “run-only” AppleScript be available in a compiled state where the source code isn’t human-readable, this made analysis harder for security researchers.