![]() "In late 2020, we discovered that the malware authors, presumably building on their earlier success in evading full analysis, had continued to develop and evolve their techniques," SentinelOne researchers stated in the blog post. The OSAMiner campaign has likely existed for at least five years, he says. OSAMiner, the program analyzed by SentinelOne researchers using the new AEVT decompiler, has likely escaped notice because of its ability to evade analysis using run-only AppleScripts, he says. Another malware family, GravityRAT, used AppleScript as part of its infection chain but does not compile it as run-only, Stokes says. Yet ordinary AppleScript is increasingly used by malware targeting the MacOS, and run-only compiled AppleScript is becoming more popular, SentinelOne stated in its analysis, published today.Īttackers targeting Mac developers, for example, used run-only AppleScript in the XCSSET malware that used Trojan Xcode projects to compromise developers' systems. While Mac users have encountered more threats on a per-device basis than Windows users in the past year, nearly all attacks are either adware or a potentially unwanted program, such as a cryptominer. "Since then the malware has continued to infect and develop without hindrance." "Although this miner was seen in the past, it received virtually no attention, and that was largely because researchers were unable to do static analysis on it," he says. The lack of defensive expertise in dealing with malicious AppleScript has allowed attackers to get away with using it without pushback from defenders, says Phil Stokes, a threat researcher with the company. New From The Edge: Cartoon: Shakin' It Up at the Office Mac Attackers Remain Focused Mainly on Adware, Fooling Users The AppleScripts used to automate each task were compiled as run-only code, which removes much of the contextual signposts used by static analysis, the SentinelOne analysis states. An effort to reverse-engineer malicious AppleScript has led to the creation of a tool to analyze run-only malware targeting the Mac operating system, undermining a common attacker approach to obfuscating code on the platform.Ĭybersecurity firm SentinelOne created the tool, known as the Apple Event (AEVT) decompiler, to analyze a cryptominer campaign that used AppleScript to automated four different stages of the infection chain: a persistence agent, a main script, an anti-analysis script, and a setup script.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |