"Updated macOS Cryptominer Uses Fresh Evasion Techniques"

Researchers at Sentinel Labs have identified an updated version of OSAMiner, the cryptominer that targets the Mac operating system to mine Monero. According to Sentinel Labs, OSAMiner has been active since 2015, spreading through compromised video games like League of Legends, and hacked versions of software packages such as Microsoft Office for macOS. The latest version of OSAMiner uses new techniques to evade detection. This malware now uses multiple versions of AppleScript, a scripting language used to automate macOS actions, to improve obfuscation. OSAMiner uses run-only AppleScripts to make it more difficult for its code to be reverse-engineered. In order to decompile the malware scripts, the researchers used a lesser-known AppleScript-dissembler project and a custom tool developed by Sentinel labs. The researchers discovered that the malware uses multiple methods to execute the run-only AppleScript. These methods include a script to ensure the parent script's persistence, a parent script to kill running processes in a device, an anti-analysis AppleScript to perform tasks in support of evasion, a script that downloads the XMR-STAK-RX RandomX miner, and more. This article continues to discuss new techniques used by the updated version of OSAMiner to prevent detection and other reports of attacks targeting macOS devices to plant cryptominers.

GovInfoSecurity reports "Updated macOS Cryptominer Uses Fresh Evasion Techniques"