![]() Acronis Cyber Protect is not affected by this functionality and will keep you protected. Specifically, the Activity Monitor app, and common anti-malware applications are killed using this function. While the encode and decode functions from the parent file are present, as is the nameless 'main' function, one of the most notable changes is the 'kPro' function, which is there to kill processes. SHA-256: df550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8 OSAMiner - code capture 2Īt this point, we have everything we need to review the embedded run-only AppleScript, which is the newest change to OSAMiner. This logic has been utilized in a decompiler that allows a final full review of the files used in this malware. ![]() It is called several times throughout the script, and is used to deobfuscate hex strings throughout the script. One of the most interesting functions found right away is the decoding function built into the script. Now that we have both the parent script and the embedded script, we can work on disassembling them, to see what each does. ![]() This is a new trick for OSAMiner, compared to previous versions we have seen, and makes automated analysis of the malware even more difficult. That, combined with the knowledge of Apple's magic strings at the beginning and end of an AppleScript, allow us to identify the second run-only AppleScript hidden in this file. This file is a little more difficult to analyze, however, a little digging will uncover some hex code in this file. This line is using do shell script to call the com.apple.4V.plist script in the ~/Library/LaunchAgents/ directory.Īs it turns out, com.apple.4V.plist is not a Property List file, but a run-only AppleScript file. However, line 13 is what is especially interesting in this script, because it starts us down the path to truly analyzing this malware. The repeated use of osascript is highly unusual, which draws attention here, and also gives us the name OSAMiner as this is using Open Scripting Architecture scripts to accomplish its goals. The array in lines 10-14 is very telling. This file is simple, but gives away a key file used in these cryptojacking attacks. plist file extension, only one is a legitimate Property List file, so we'll start there. While several of the files associated with OSAMiner are Property List files, with the. The company found a record-high of 91.05 million new Windows malware samples were discovered in 2020 - an average of 249,452 threats per day, meaning that there were over 135 times more Windows threats than there was macOS in 2020.Analysis of the Embedded Run-Only AppleScript GoSearch22.app, an M1-native version of the longstanding Pirrit virus, generates revenue by spamming users with pop-ups and adverts.ĭespite the rise in macOS malware, Atlas VPN highlighted that the number of attacks targeting Windows users remained much higher. "Nowadays, hackers don’t even need advanced programming skills since they can purchase a ready-made malware code, tailor it to their needs with a little bit of coding, and establish a completely new threat."Īlarms were raised earlier this year when the first malware native to M1-powered MacBooks (opens in new tab) was discovered in the wild, just months after the arrival of the first Apple Silicon devices. “Contributing to this record surge in threats is the fact that new malicious software is now easier to engineer than ever before," noted (opens in new tab) Rachel Welch, COO of Atlas VPN.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |