“OSAMiner has been active for a long time and has evolved in recent months. The distribution is active since at least 2015, indicated security firm SentinelOne in a report published this week. SentinelOne's analyses the OSAMiner macOS cryptocurrency-mining malware that, thanks to its use of run-only AppleScripts, stayed under the radar for a long time also open sources the AEVT decompiler tool /TqIAl8QcmrĪccording to security researchers, the OSAMiner malware was distributed inside pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac. The creators of the malware used processes that were specifically designed to evade detection and analysis by security researchers. Mach-O, XMR-Stak miner, dropped at ~/Library/Caches//ssl4.The OSAMiner hijacked the hardware resources of infected users to mine cryptocurrency. SHA256: 24cd2f6c4ad6411ff4cbb329c07dc21d699a7fb394147c8adf263873548f2dfdĭropped as ~/Library/11.png for miner configuration and downloaderĪlso wodaywo.scpt when not disguised as a. This updated file in particular is designed to help OSAMiner avoid detection. From there, it's only a matter of seeing where and how these functions are called to determine exactly what this script is doing. While the strings here are not completely human readable, another round of decompiling makes the system commands and AEVT, or 'Apple Event', codes much easier to read. Acronis Cyber Protect is not affected by this functionality and will keep you protected. Specifically, the Activity Monitor app, and common anti-malware applications are killed using this function. While the encode and decode functions from the parent file are present, as is the nameless 'main' function, one of the most notable changes is the 'kPro' function, which is there to kill processes. SHA-256: df550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8 OSAMiner - code capture 2Īt this point, we have everything we need to review the embedded run-only AppleScript, which is the newest change to OSAMiner. This logic has been utilized in a decompiler that allows a final full review of the files used in this malware. It is called several times throughout the script, and is used to deobfuscate hex strings throughout the script. One of the most interesting functions found right away is the decoding function built into the script. Now that we have both the parent script and the embedded script, we can work on disassembling them, to see what each does. This is a new trick for OSAMiner, compared to previous versions we have seen, and makes automated analysis of the malware even more difficult. That, combined with the knowledge of Apple's magic strings at the beginning and end of an AppleScript, allow us to identify the second run-only AppleScript hidden in this file. This file is a little more difficult to analyze, however, a little digging will uncover some hex code in this file. This line is using do shell script to call the com.apple.4V.plist script in the ~/Library/LaunchAgents/ directory.Īs it turns out, com.apple.4V.plist is not a Property List file, but a run-only AppleScript file. However, line 13 is what is especially interesting in this script, because it starts us down the path to truly analyzing this malware. The repeated use of osascript is highly unusual, which draws attention here, and also gives us the name OSAMiner as this is using Open Scripting Architecture scripts to accomplish its goals. The array in lines 10-14 is very telling. This file is simple, but gives away a key file used in these cryptojacking attacks. plist file extension, only one is a legitimate Property List file, so we'll start there. While several of the files associated with OSAMiner are Property List files, with the. Analysis of the Embedded Run-Only AppleScript
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |