For 5 years, macOS OSAMiner malware gave security scientists a difficult time. Appeared in 2015, this malware has finally been evaluated by the company SentinelOne. Why these 5 years of waiting? Due to the fact that the malware’s designers had discovered a technique to prevent its analysis: utilize AppleScript scripts in mode Execution just for the payload part.

No legible version of the script

In this mode, just the binary executable version of the script is offered. The absence of a readable version of the script then makes it really difficult to understand. Hence, the malware was found in 2018 however the scientists were unable to dissect it in information. Its detection was enabled by its action to mine cryptocurrency. This action takes in a great deal of processor resources and users have been amazed at how slow their Macs are.

A new variation of the malware has made it even harder for scientists to utilize no less than three run-alone scripts, nested into each other like Russian dolls. To mine cryptocurrency, hackers utilize the open source Monero program that operates on Windows, Linux, or macOS.

Nevertheless, SentinelOne researchers had the ability to reverse engineer a few samples of the malware utilizing an AppleScript disassembler and an in-house decompilation tool. In a detailed report, the scientists offer important information about the malware, as well as Indicators of Compromise (IOC) that will make it easier to spot.

OSAMiner malware is spread in games and pirated software, for instance League of Legends and Microsoft Office. It is mainly active in China and other Asian countries.

Source: ZDNet