fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Mac Malware Uses ‘run-only’ AppleScripts To Evade Analysis

Mac Malware Uses ‘run-only’ AppleScripts To Evade Analysis

A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it.

The malware is tracked as OSAMiner and has been in the wild since at least 2015. Yet, analyzing it is difficult because payloads are exported as run-only AppleScript files, which makes decompiling them into source code a tall order.

A recently observed variant makes analyzing even more difficult as it embeds a run-only AppleScript into another scripts and uses URLs in public web pages to download the actual Monero miner.

Reversing run-only AppleScript

OSAMiner typically spreads via pirated copies of games and software, League of Legends and Microsoft Office for macOS being among the more popular examples.

The malware has been researched in the past [12] but the run-only AppleScript file hindered full analysis, limiting it to observing the behavior of the sample.

Also Read: 10 Practical Benefits of Managed IT Services

AppleScript files include both the source and the compiled code but enabling “run-only” saves only the compiled version so the human-readable code is no longer available, thus removing the possibility of reverse engineering.

Security researchers at Sentinel One discovered at the end of 2020 a new sample of OSAMiner that complicated “the already difficult process of analysis.”

However, they were able to reverse engineer some samples they collected by using a less-known AppleScript disassembler (Jinmo’s applescript-disassembler) and a decompiler tool developed internally called aevt_decompile.

Evasion actions

The recent OSAMiner campaigns use three run-only AppleScript files to deploy the mining process on the infected macOS machine, Sentinel One found:

  • a parent script that executes from the trojanized application
  • an embedded script
  • the miner setup AppleScript

The main role of the parent script is to write the embedded AppleScript to ~/Library/k.plist using a “do shell script” command and execute it. It also checks if the machine has enough free space and exits if there isn’t sufficient storage.

Other tasks it runs include collecting the serial number of the device, restarting the ‘launchctl’ job responsible for loading and unloading daemons or agents, and to kill the Terminal application.

The researchers say that the main script also sets up a persistence agent and downloads the first stage of the miner from a URL set on a public page.

Some samples may not lead to a live URL. However, Sentinel One was able to find an active one (https://www[.]emoneyspace[.]com/wodaywo) and noticed that the malware parsed a link in the source code of the page that pointed to a PNG image.

source: Sentinel One

This was the third run-only AppleScript, downloaded to the ~/Library/11.PNG. Its purpose is to download the open-source XMR-Stak Monero miner that works on Linux, Windows, and macOS.

“The setup script includes pool address, password and other configuration information but no wallet address,” the researchers say in a report today, adding that it also uses the “caffeinate” tool to prevent the machine from entering sleep mode.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

Evading detection

According to Sentinel One, the second script is intended to prevent analysis and evade detection. Supporting this conclusion is killing the Activity Monitor, which is the equivalent of the Task Manager in Windows, likely to prevent users from checking the system’s resource usage.

Furthermore, the script is designed to kill processes belonging to popular tools for system monitoring and cleaning. It finds them by checking a hardcoded list.

Sentinel One says that while AppleScript incorporates more powerful features [12], the authors of OSAMiner are not currently taking advantage. This is likely because the current setup allowed them to run their cryptocurrency mining campaigns with little resistance from the security community.

However, as Sentinel One proved, the technique is not infallible and researchers have the means to analyze it and prepare defenses against other malware that may choose to use it.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us