[HN Gopher] macOS malware used run-only AppleScripts to avoid de...
___________________________________________________________________
macOS malware used run-only AppleScripts to avoid detection for
five years
Author : abawany
Score : 94 points
Date : 2021-01-15 18:25 UTC (4 hours ago)
(HTM) web link (www.zdnet.com)
(TXT) w3m dump (www.zdnet.com)
| saagarjha wrote:
| > Since "run-only" AppleScript come in a compiled state where the
| source code isn't human-readable, this made analysis harder for
| security researchers.
|
| Surely no more difficult than your average malware binary blob?
| _the_inflator wrote:
| MalwarehunterTeam on Twitter regularly posts analysis of
| machine code, so yes. Very true.
| meibo wrote:
| It's a custom bytecode, so it's definitely harder than just
| throwing it into a disassembler - you have to understand the VM
| it runs in, and depending on how it's implemented, that can be
| a _whole other_ skill set - especially since AppleScript
| bytecode seems to be mostly undocumented.
|
| If you're an experienced security researcher, you'll get there
| of course, but definitely not a thing you press F5 at in IDA
| and go "ah yes, that's how it works".
| lilyball wrote:
| A run-only AppleScript shouldn't be fundamentally any harder to
| detect than any other form of compiled binary. Does this just
| mean that security researchers and antivirus tools simply haven't
| paid attention to run-only AppleScripts as a vector worth
| investigating?
| nneonneo wrote:
| "Run-only" AppleScript is compiled to a bytecode format that is
| very poorly documented. In 2017, I released a CTF reverse-
| engineering challenge called Scriptabble, in which contestants
| had to understand a compiled AppleScript file which very slowly
| computed a flag, then fix or reimplement the algorithm to compute
| it faster.
|
| Teams generally solved it by reverse engineering the AppleScript
| runtime to understand the VM bytecode; one writeup is here:
| https://twitter.com/_niklasb/status/856594863294472193
|
| So, I guess I can't be too surprised that run-only AppleScript
| ended up as a good malware vector - it's so poorly documented,
| and there are so few tools to understand it, that it could easily
| fly under the radar.
| chairmanwow1 wrote:
| I have to compliment you on the design of this challenge. That
| sounds really hard (but also really fun).
|
| How'd it go?
| wtfiswiththis wrote:
| Anyone remember the "Macs don't need antivirus" answer on Apple's
| FAQ from years ago?
| TazeTSchnitzel wrote:
| Does this evade Gatekeeper?
| afrcnc wrote:
| Yes, apparently.
| hundchenkatze wrote:
| Yes if it's compiled as a standalone script or script bundle
| and then run using osascript.
|
| You can also compile osa scripts into .app bundles, since these
| are new, standalone apps they need to have a valid signature.
| larrik wrote:
| > since at least 2015 disguised in pirated (cracked) games and
| software such as League of Legends
|
| LoL is free, though. Why would anyone use a pirated/cracked
| version? What would that even mean?
| [deleted]
| michelb wrote:
| There's always people who do not know that and download it
| anyway.
| numpad0 wrote:
| On top of that, there are people who actively _avoid official
| distribution_ , thinking e.g. anything should come through a
| middle man. Diversity is weird.
| jedberg wrote:
| I think this is just poorly written, and what they are trying
| to say is the bad actors would add their malware to an LOL
| distro and the redistribute it as "official".
| lmkg wrote:
| Perhaps a "cracked" version can either use unofficial servers,
| or permits/includes cheating mods?
| na85 wrote:
| >Why would anyone use a pirated/cracked version?
|
| Doesn't even have to be pirated or cracked. ESEA put
| surreptitious bitcoin miners into their installer/client
| software back in 2013.
|
| Greed talks.
| jedberg wrote:
| Doesn't "run-only" just mean "compiled"?
| jandrese wrote:
| In this case yes. From the headline I thought there was some
| kind of weird Apple permission thing where you could mark a
| binary as unreadable but somehow could still be run to evade
| malware detection, but it seems like this technical article
| author is just unfamiliar with the concept of compiling.
| cbhl wrote:
| It looks like "run-only" is a term-of-the-art in AppleScript,
| since that label appears on the UI that generates such
| binaries.
| hundchenkatze wrote:
| EDIT: Whoops I misread, I thought you were saying that
| "run-only" was just a flag of sorts.
|
| osacompile[0] does actually produce some form of bytecode
| when you pass the "x" execute only flag.
|
| Here's a script that opens Safari[1] and the compiled
| output[2].
|
| [0] https://ss64.com/osx/osacompile.html
|
| [1] https://pastebin.com/raw/u94cwDj7
|
| [2] https://pastebin.com/raw/9uuF39jW
| jmt_ wrote:
| Right, looks like you could choose to distribute an
| editable version of a script or a compiled version:
| https://superuser.com/a/14765
___________________________________________________________________
(page generated 2021-01-15 23:02 UTC)