MacOS Malware Used Run-Only AppleScripts To Avoid Detection For Five Years

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week. But the cryptominer did not go entirely unnoticed. SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively. But their reports only scratched the surface of what OSAMiner was capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday.

The primary reason was that security researchers weren't able to retrieve the malware's entire code at the time, which used nested run-only AppleScript files to retrieve its malicious code across different stages. As users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript. Since "run-only" AppleScript come in a compiled state where the source code isn't human-readable, this made analysis harder for security researchers.

How do you knw if you're affected?

[therealprologic]

As per title.

Re: How do you knw if you're affected?

[Anonymouse Cowtard]

Monitor your packets

Re:How do you knw if you're affected?

[dark.nebulae]

According to https://labs.sentinelone.com/f... [sentinelone.com], there are key files that you can look for to see if you are infected with OSAMiner.

Re:

[93 Escort Wagon]

Sounds like if you haven't been pirating software, you don't have to worry about it.

Re: How do you knw if you're affected?

[slazzy]

Disable applescript...

Re:How do you knw if you're affected?

[K. S. Kyosuke]

Check for the presence of depictions of fruit on your hardware.

Re: How do you knw if you're affected?

[flyingfsck]

$ top

You are welcome

Re:

[sztorm7734]

If you own an apple Product then you are affected Install a BSD or a Linux-Libre distribution

How are those scripts?

[Anonymous Coward]

If they're compiled and non-human readable, they're applications.

Re: How are those scripts?

[AcidFnTonic]

How? It's just byte code...

If the resulting code is interpreted, it's a script. If it's native code, it's not.

Text -> byte code -> interpreted is a script.

This is just sending the already processed byte code to the interpreter. Still a script.

Re:

[AlexHilbertRyan]

If its runtime is plain text and readable its a script. Anhything else by definition is not human readable, we arent going to count decompilers etc.

Re:

[omnichad]

If it's plain text, sure, it's a script. If it's not human readable, that doesn't mean it's not also a script. Unless the bytes correspond to CPU instructions, it is not compiled code.

Re:

[AlexHilbertRyan]

A script by definition must be at the very least human readable text and executable by some program / environment. If either of them fail the test then its not a script. Source code that requires a compiler to make an executable is not a script because it fails the 2nd test i mention The executable that is produced by a compiler is not human readable text therefore it fails the first test. A bash file or python file are human readable text and they may be executed via their respective systems therefore the

Re:

[CaptQuark]

I agree with Omnichad. The primary difference between a scripting language and a programming language is in their execution – programming languages use a compiler to convert the high-level programming languages into machine language. On the other hand, scripting languages use an interpreter. While a compiler compiles code into a complete program, an interpreter interprets code line by line.

Basic was an early example of a scripted language or interpreted code. You needed a Basic interpreter to run

Re: How are those scripts?

[ZiggyZiggyZig]

I think you are both right in your interpretations, but in my mind I side with AlexHilbertRyan . A script, semantically, means something humans can read.

It would make sense to call "script" things that we humans can read, "bytecode" things that are compiled in some intermediate form, and "binary" a form that can be directly executed by the CPU without interpretation.

Re:

[AlexHilbertRyan]

@Ziggy scripts are text you can edit in any text editor, edit not read, running a decompiler or javap to read java class file is not "reading" the class files in a text editor.

Re:

[Dan East]

It's all getting pedantic at this point

Scripts are a subset of source code (a human-readable language), with the additional understanding that they are interpreted, and thus parsed / compiled at run time. Then, of course, as an optimization, scripting languages are often cached in some byte-code format because parsing the verbose text of the script every time it runs is inefficient. In other words, JIT. We leave the source lying around until we actually need to execute it, then it is parsed / compiled on

Re:

[tepples]

And speaking of those two things, now "app" has pretty much grown in definition to have the same meaning as what we used to refer to as a "program" or executable.

"Grown"? It's always had that definition. "App" has been short for "application" since the 1990s.

Re:

[AlexHilbertRyan]

Tokenized Basic is not text but some binary file format. A script by definition is supposed to be a text file hich the user can edit outside any editor in a plain text editor. A tokenized basic file by definition cannot be edited outside the editor for that basic.

A tokenized BASIC editor is an editor

[tepples]

Tokenized BASIC is script because the preferred editor operates on programs in the form in which they are usually distributed and executed. Even though this form happens to be something other than newline-delimited ASCII or UTF-8 text, that doesn't make an editor for tokenized BASIC any less of an editor than, say, GIMP or LibreSprite is an image editor. Contrast with JVM bytecode, CLR, and WebAssembly, which aren't meant to be edited in that form.

Re:

[AlexHilbertRyan]

No again you didnt read my comment. if the file needs a custom editor because nothing else understrands it, then its not plain text. Scripts are files that basically any text editor can view and edit. If it requires a special editor to "read" and "write" the file for any basic change then its obviously not text.

Re:

[tepples]

Scripts are files that basically any text editor can view and edit. If it requires a special editor to "read" and "write" the file for any basic change then its obviously not text.

Lines of Bash scripts are delimited by code unit 0x0A, which represents line feed. Until the Windows 10 October 2018 Update, Windows Notepad (the editor included with Windows) could read and write only files with lines delimited by 0x0D 0x0A, where 0x0D carriage return. Thus a Windows user needed to download and install "a special editor", such as Notepad++, to edit text files with UNIX newlines. Likewise, Python and PHP scripts containing characters outside 7-bit ASCII are written in UTF-8 encoding nowaday

Re:

[AlexHilbertRyan]

Since you want to be a clever, most people still write ASCII, which is also valid UTF-8, which basically means you have exactly. and perectly confirmed my statement which you quoted.

Re:

[AlexHilbertRyan]

Java Bytecode is not interpreted, but i wont waste time on that. At runtime it very quickly becomes machine code by the JIT. As i said before its not practically possible to edit java class files using a text editor. You could but the pain is not worth it, unlike a script file which is basically just text which you can edit, lets assume you understad the language syntax etc.

Re:

[angel'o'sphere]

There are dozens of variations of interpreters.
And most modern languages can not be interpreted line by line :P

Tokenized basic is 90% of the tin: not a script. See my other post.

Yes, I know I took some shortcuts to reach this conclution but the point is, just because it isn't human readable, it isn't still a scripted language.
And neither is it the opposite.

Re:

[tlhIngan]

A script by definition must be at the very least human readable text and executable by some program / environment. If either of them fail the test then its not a script. Source code that requires a compiler to make an executable is not a script because it fails the 2nd test i mention The executable that is produced by a compiler is not human readable text therefore it fails the first test. A bash file or python file are human readable text and they may be executed via their respective systems therefore they

Re: How are those scripts?

[volodymyrbiryuk]

A script by definition must be at the very least human readable text

That is until you see someone else's Java Script code.

Re:

[Cmdln Daco]

We could talk about a lot of perl scripts here, too.

Re:

[AlexHilbertRyan]

You are confusing understanding with readability. Readdability simply means being able to see the text it doesnt mean to understand.

Re:

[tepples]

Is a py.gz or js.gz file not a script? You need a specialized editor to view it, namely one supporting Gzip decompression. With the correct editor, it is readable and editable.

Re:

[AlexHilbertRyan]

Inside those archives are plain text files, the gzip is just an ADDITIONAL OPTIONAL packaging mechanism. In its raw form there are text files.

Re:

[tepples]

Likewise, some BASIC implementations have treated tokenization as "just an ADDITIONAL OPTIONAL packaging mechanism."

Re:

[AlexHilbertRyan]

Not discussing optional extras, discussing the core mainstream respresentation of said files. By default in basically all scripting langauges, you can edit text files, and execute them as they are in the runtime with no REQUIRED additional step to repackage. Im not discussing repackaging options just highlighting the default - the simple default is what makes them scripting langauges. Why keep trying to find some bullshit instead of accepting the majority use case. You are like lotto ads trying to bullshi

Re:

[thegarbz]

How does this definition apply to Java applications which while they have been compiled and are non human readable still don't run without an interpreter?

Re:

[angel'o'sphere]

Strictly speaking, a script is something that can be interpreted and executed in text form.
If it is compiled to a byte code does not really matter.

In the end however Script only means for what it is used. No one would call a Java "Program" a script. However, Groovy compiled to the same byte code and run on the same VM is often called a script when does a simple OS related task or automates something in an application or an IDE.

Examples are Bash scripts, which usually are not compiled, Perl scripts, that are

Re:

[tepples]

If the resulting code is interpreted, it's a script. If it's native code, it's not.

Did you intend these to fall under your "script" definition?

- Game Boy games run in SameBoy are scripts.
- A WebAssembly program is a script.
- A Java program is a script (though still unrelated to JavaScript).
- 68LC040 programs run on PowerPC, PowerPC programs run on x86-64, and x86-64 programs run on ARM are scripts.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Judging by the complete dribble in your first paragraph, we can't be sure of anything besides your lack of intelligence.

Re:

[Cmdln Daco]

So, you're saying that httpd is not an application?

Re: How are those scripts?

[lessSockMorePuppet]

It's a daemon. Says so right in the name.

Run only is not a limitation or mitigation

[aldousd666]

If you can run a script, you own the box. Run only? Who paid for that wording?

Re:

[CaptQuark]

"Run Only" just means it has been processed into a compacted version of the program that isn't easy to edit. It wasn't meant to be easy to read, understand, or edit, thus the name "run only". They could have named it AppleScript Bytecode if you think that's a better phrase.

Re:

[Otto]

So... it's compiled... like literally every other program every made?

What exactly makes compiled code special? EXEs are compiled code. The term "run-only" is stupid. You have to be able to read the thing to run it, and the computer can read bytes just fine, so... where's the problem?

Re:

[dark.nebulae]

It's more like java in that it doesn't get natively compiled, it gets compiled down to object code which applescript can open and run just like a script file.

Re:

[Kitkoan]

<quote>So... it's compiled... like literally every other program every made?</quote>

It's incredibly rare last time I checked for a Scripting language app to be compiled. That's why it's phrased like that. Programming language apps are compiled all the time, but Scripting languages aren't. Scripting languages are typically interpreted.

Odd story

[hackertourist]

Are they saying they can't analyze malware if they don't have the source code? Isn't all malware delivered as compiled binaries rather than .bat/AppleScript files?

Re:Odd story

[John Allsup]

x86 malware is in x86 machine code, which is well-documented and has much in the way of reverse engineering software. AppleScript is compiled into a proprietary bytecode which needs to be understood before decompiling/analysing is possible.

Re:

[hackertourist]

that makes sense, thanks.

Re:

[Dan East]

I think they are referring to the fact that the malware is modular, and can pull in new scripts with new functionality (like mining bitcoins). Instead of a simple word like "modular" they are saying it in a more convoluted manner, "nested scripts that occur in different phases". The security researches had not encountered all the various functions of the malware yet (or more than likely, the bitcoining functionality hadn't even been implemented yet). It all boils down to the fact that if someone gets acce

Compile your code == avoid detection?

[misnohmer]

So compiling your malicious code into byte code avoid detection by security researchers? Imagine what you can do if you compile it onto this special byte code which only CPU's execute, otherwise known as binary executable files! Are the security researchers of today at the level of majority of programmers - if it isn't human readable, it's black magic?

Re:

[Cmdln Daco]

On a Mac it is, because a large part of the userbase has been educated to believe 'Macs don't get malware.'

Re:

[gtall]

The 90's are calling, they want their meme back. Go forth young man and be an antique before your time.

Re:

[tepples]

In case you missed John Allsup's comment [slashdot.org], the difference is that far more documentation is available to the malware research community (and the rest of the public) for x86 and x86-64 bytecode than AppleScript bytecode.

Re:

[misnohmer]

Ah, so a malicious code obfuscation system courtesy of Apple then. It is super exclusive, only Apple customers get to have it? [/sarcasm]

Cracked Software

[scum-e-bag]

Cracked software contains malware and viruses... yeah, like that's not gonna happen...

So hard to analyze code is bad for security?

[gweihir]

What a surprise. I think in the end it will need to be outlawed or people will just have to stop buying anything closed source because it does so badly.

Re:

[tflf]

What a surprise. I think in the end it will need to be outlawed or people will just have to stop buying anything closed source because it does so badly.

If you use pirated software, there should be no surprise when it's infected, whether the source code is open or closed. This is nothing new - pirated software has, since the earliest days of home computing, always carries a significant risk of malware,infection, or whatever evil code of one form or another. The easier, and more widespread, software distribution methods become, the greater the spread of infected pirated software.
As long as people are willing to save a few bucks by us

Re:

[gweihir]

You are barking up the wrong tree.

problems with printing

[lauwss]

You know, mac os is not very comfortable to use when you work at the office. I mean, I had problems with printing anything with this system. Maybe my problem was connected to cartridge because when I bought https://www.mrdepot.ca/product... [mrdepot.ca] the situation has changed for the better