As users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript. The primary reason was that security researchers weren't able to retrieve the malware's entire code at the time, which used nested run-only AppleScript files to retrieve its malicious code across different stages. It reveals the full-chain of this attack, along. SentinelOne macOS malware researcher Phil Stokes has published a detailed report. Apparently, the third AppleScript contained the actual OSAMiner malware or payload. 'The malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a. This script would silently download and run a second run-only AppleScript, and then another final third run-only AppleScript. But their reports only scratched the surface of what OSAMiner was capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday. The operators of the XCSSET macOS malware have upped the stakes by making iterative improvements that add support for macOS Monterey by upgrading its source code components to Python 3. Rather, AppleScript Studio is an umbrella name for a huge.
SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively. Not because its not a great way to create fully featured Mac OS X applications, because it is. The Malware is tracked as OSAMiner and has been in the wild since at least 2015. But the cryptominer did not go entirely unnoticed. MacOS Cryptominer Use Malicious Run-Only AppleScripts to Avoid Detection.
Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week. An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis, Stokes concluded in his report yesterday.