

This is a new trick for OSAMiner, compared to previous versions we have seen, and makes automated analysis of the malware even more difficult.

That, combined with the knowledge of Apple's magic strings at the beginning and end of an AppleScript, allow us to identify the second run-only AppleScript hidden in this file.
#MACOS RUNONLY APPLESCRIPTS TO AVOID DETECTION CODE#
This file is a little more difficult to analyze, however, a little digging will uncover some hex code in this file.


This line is using do shell script to call the com.apple.4V.plist script in the ~/Library/LaunchAgents/ directory.Īs it turns out, com.apple.4V.plist is not a Property List file, but a run-only AppleScript file. However, line 13 is what is especially interesting in this script, because it starts us down the path to truly analyzing this malware. The repeated use of osascript is highly unusual, which draws attention here, and also gives us the name OSAMiner as this is using Open Scripting Architecture scripts to accomplish its goals. The array in lines 10-14 is very telling. This file is simple, but gives away a key file used in these cryptojacking attacks. plist file extension, only one is a legitimate Property List file, so we'll start there. While several of the files associated with OSAMiner are Property List files, with the. OSX.EvilQuest was the most prevalent macOS ransomware family in 2021, accounting for 98% of ransomware in the researchers’ analysis, while OSX.Flashback accounted for 31% of macOS backdoor threats and OSX.Lador accounted for 47% of macOS trojans.Analysis of the Embedded Run-Only AppleScript Improving the CrowdStrike Falcon® platform’s ability to detect macOS threats is a continuous process. CrowdStrike researchers constantly hunt, analyze and gain understanding of any macOS artifact that looks even remotely suspicious to improve CrowdStrike’s automated machine learning and behavior-based protection capabilities. The fallacies that macOS cannot be harmed by threats or is targeted by less-sophisticated malware still linger. This blog addresses some of the challenges and requirements our researchers must meet when analyzing macOS threats. The deep understanding and knowledge they gain is used both to create new features for structural parsing that augments our machine learning detection capabilities and to improve the proficiency of our behavior-based protection. MacOS malware research starts with the fundamentals, such as classifying macOS malware by file type continues with the capabilities, intended targets and general behavior of malware and ends with obstacles researchers encounter when analyzing macOS malware. File Type Classification for macOS Threats Threats that target macOS systems have the same goals as those targeting any other operating systems they range from spying and reconnaissance to cryptocurrency mining, file encryption, remote access, and adware-related hijack and injection. Malware developers often try to hide or mask file types in an attempt to trick users into executing them. File-type identification also helps in establishing the tools required in the analysis. Figure 2 offers an overview of macOS malware file types.Įven though most malware are compiled binaries, many non-binary file types are commonly encountered while analyzing macOS malware each has its own advantages and disadvantages for the adversaries that use them.
