According to the security company SentinelOne, The users macOS has been the target of an insidious malware campaign for over five years. This campaign used a clever trick (run-only AppleScripts) to avoid detection and aimed at mining cryptocurrency from macOS systems of the victims.
The researchers said that malware used in the campaign is called OSAMiner and has been distributed since at least 2015, through pirated (cracked) games and software, such as League of Legends and Microsoft Office for Mac.
"OSAMiner has been active for a long time and has evolved in recent months", Said a representative of SentinelOne to ZDNet.
"From data that we have, seems to target mainly its communities China and Asia-Pacific region", The spokesman added.
Run-only AppleScripts to avoid crawling
As mentioned above, the cryptominer has been distributed since at least 2015. However, according to SentinelOne, two Chinese Companies security identified and analyzed earlier versions of OSAMiner August and September of 2018, respectively.
Their reports, however, were incomplete, as they distinguished only a few features of OSAMiner. This was due in part to the fact that researchers were unable to retrieve the entire malware code at that time.
After installing the pirated software, boobytrapped installers download and run one run-only AppleScript, which downloads and executes a second run-only AppleScript, and then a third.
As the "run-only" AppleScript is in a state where ο source code cannot be read by man, cryptominer analysis is even more difficult.
A SentinelOne investigator has released details of the attack, along with IOC indicators of older and newer OSAMiner campaigns. The research team hopes that by breaking the mystery surrounding this campaign and publishing IOCs, other software providers security macOS will be able to detect and protect OSAMiner attacks users macOS.
"The run-only AppleScripts are amazing rarely in the world of macOS malware, but both the duration (5 years) and the lack of attention in the OSAMiner campaign show just how run-only AppleScripts are strong to avoid detection and analysis", Concluded the researcher.
"In this case, we did not see the attacker use any of the more powerful AppleScript features we have discussed elsewhere. It is, however, one threatening which remains strong as it cannot be handled by many defense tools".