In 2018, SentinelLabs, a cybersecurity firm, caught wind of Chinese forum reports talking about a Monero mining trojan infecting macOS users. As with any mining malware, “Symptoms included higher than usual CPU, system freeze and problems trying to open the system Activity Monitor.app.” At that time, the investigation concluded that it has been circulating since 2015, but not much else could be gleaned from the malware, as it was done in run-only AppleScripts, which caused issues for analysis and detection. Effectively, the investigation ended due to this roadblock.
In more recent days, it was found that the malware authors continued to “develop and evolve their techniques.” More recent versions of the macOS.OSAMiner embedded another AppleScript within another AppleScript, making everything more complex. However, the researchers could reverse engineer the AppleScripts using a “little-known applescript-disassembler project and a decompiler tool” made by the team. Ultimately, the entire malware system and related processes were unveiled and shown to the world in a recent report.
As SentinelLabs states, “Run-only AppleScripts are surprisingly rare,” yet they are incredibly powerful and highly elusive. Case-in-point being the macOS.OSAMiner campaign, which took at least five years to crack open. Hopefully, analysts can use the research done in this campaign to help prevent future run-only AppleScripts.
Moreover, macOS users need to be keenly aware that they, too, are vulnerable, as malware can reach out and touch virtually any user on any platform.