![]() ![]() Compare that to the embedded hex in the previous screenshot, or further down in our hexdump: Notice, in particular the magic header: FasdUAS, which is 46 61 73 64 55 41 53 20 in hex. This sample proves to be a case in point, because what strings won’t show you but floss will is all the UTF-16 encoded hex that are buried in this file:Īt this point we should look at the hexdump. For strings, we generally find the floss tool to be superior to the macOS version of the strings command line tool. The best starting point with run-only scripts is to dump the strings and the hex. We can quickly confirm that this is a run-only AppleScript by attempting to decompile with osadecompile, which returns the error: errOSASourceNotAvailable ( -1756) Strings May Tell You Something, But Not Much plist extension and runs from the user’s Library LaunchAgents folder and, again, com.apple.4V.plist is not a property list file but a run-only AppleScript: However, pivoting on the program argument, com.apple.4V.plist, led us to this newer sample for the executable:ĭf550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8Īs with earlier versions of this malware, the executable also uses a. The tell-tale LaunchAgent program argument is odd for its redundant use of osascript to call itself via a do shell script command (Lines 11-13). ![]() In the 2018 version, the malware tries to disguise itself as belonging to both “apple.Google” and “apple.Yahoo”: The older persistence agents are almost identical save for the labels and names of the targeted executable. While malware hunting on VirusTotal, we came across the following property list:ĩad23b781a22085588dd32f5c0a1d7c5d2f6585b14f1369fd1ab056cb97b0702Īs noted above, we have seen this before in 2018 and earlier in 2020. A Malicious Run-Only AppleScript (or Two) We believe that the method we used here is generalizable to other run-only AppleScripts and we hope this research will be helpful to others in the security community when dealing with malware using the run-only AppleScript format. However, with the help of a little-known applescript-disassembler project and a decompiler tool we developed here at SentinelLabs, we have been able to reverse these samples and can now reveal for the first time their internal logic along with further IoCs used in the campaign. Recent versions of macOS.OSAMiner add greater complexity by embedding one run-only AppleScript inside another, further complicating the already difficult process of analysis. In late 2020, we discovered that the malware authors, presumably building on their earlier success in evading full analysis, had continued to develop and evolve their techniques. Indeed, 360 MeshFire Team reported that the malicious applications:Ī similar conclusion was reached by another Chinese security researcher trying to dynamically analyse a different sample of macOS.OSAMiner in 2020, noting that “No reverse method has been found…so the investigation ends here” Investigations at the time concluded that macOS.OSAMiner, as we have dubbed it, had likely been circulating since 2015, distributed in popular cracked games and software such as League of Legends and MS Office.Īlthough some IoCs were retrieved from the wild and from dynamic execution by researchers, the fact that the malware authors used run-only AppleScripts prevented much further analysis. Symptoms included higher than usual CPU, system freeze and problems trying to open the system Activity Monitor.app. We have released our AEVT decompiler tool as open source to aid other researchers in the analysis of malicious run-only AppleScripts.īack in 2018, reports surfaced on Chinese security sites about a Monero mining trojan infecting macOS users.Combining a public AppleScript disassembler repo with our own AEVT decompiler tool allowed us to statically reverse run-only AppleScripts for the first time and reveal previously unknown details about the campaign and the malware’s architecture.macOS.OSAMiner has evolved to use a complex architecture, embedding one run-only AppleScript within another and retrieving further stages embedded in the source code of public-facing web pages.macOS.OSAMiner is a cryptominer campaign that has resisted full researcher analysis for at least five years due to its use of multiple run-only AppleScripts. ![]()
0 Comments
Leave a Reply. |