A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it. The malware is tracked as OSAMiner and has been in the wild since at least 2015. Analyzing it has been difficult because payloads are exported as run-only AppleScript files, which makes decompiling them into source code difficult.
OSAMiner is a typical Trojan which mainly cause system vulnerability on PCs to help hackers’ remote attack. Users may not be aware when OSAMiner enters their PCs. And in most of time, even when it begins to exert bad impact on their system, users notice nothing since OSAMiner specializes in disguise. The trojan normally enters a PC with the package of the third party application from unknown hostile sites. When a user is preparing to install the application and run the .exe file, it runs itself as well when the application is installed. In this way, OSAMiner secretly lurks on the PC and does harm to everything. This installation may cause regularly blue screen of the system data and make the PC continually unable to work. Besides, it is the reason for the system loopholes. It may terminate protecting functions too. Next, no alert(s) may appear when suspicious sites opened or virus infecting. By this time, the virus may be rampant on everywhere on the PC and finally crash the entire system..
A recently observed variant makes analyzing even more difficult as it embeds a run-only AppleScript into another scripts and uses URLs in public web pages to download the actual Monero miner. OSAMiner typically spreads via pirated copies of games and software, League of Legends and Microsoft Office for macOS being among the more popular examples.
The malware has been researched in the past, but the run-only AppleScript file hindered full analysis, limiting it to observing the behavior of the sample. AppleScript files include both the source and the compiled code but enabling "run-only" saves only the compiled version so the human-readable code is no longer available, thus removing the possibility of reverse engineering.
The recent OSAMiner campaigns use three run-only AppleScript files to deploy the mining process on the infected macOS machine, investigators from SentinelOne have reported:
- a parent script that executes from the trojanized application
- an embedded script
- the miner setup AppleScript
The main role of the parent script is to write the embedded AppleScript to ~/Library/k.plist using a "do shell script" command and execute it. It also checks if the machine has enough free space and exits if there isn't sufficient storage.
Other tasks it runs include collecting the serial number of the device, restarting the 'launchctl' job responsible for loading and unloading daemons or agents, and to kill the Terminal application. The researchers say that the main script also sets up a persistence agent and downloads the first stage of the miner from a URL set on a public page.
This was the third run-only AppleScript, downloaded to the ~/Library/11.PNG. Its purpose is to download the open-source XMR-Stak Monero miner that works on Linux, Windows, and macOS.
According to a SentinelOne researcher, the second script is intended to prevent analysis and evade detection. Supporting this conclusion is killing the Activity Monitor, which is the equivalent of the Task Manager in Windows, likely to prevent users from checking the system's resource usage. The script is designed to kill processes belonging to popular tools for system monitoring and cleaning. It finds them by checking a hardcoded list.
The research team stated that while AppleScript incorporates more powerful features, the authors of OSAMiner are not currently taking advantage. This is likely because the current setup allowed them to run their cryptocurrency mining campaigns with little resistance from the security community. Investigators have proven, the technique is not infallible and researchers have the means to analyze it and prepare defenses against other malware that may choose to use it.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
Comments