Jump to content

Search the Community

Showing results for tags 'mac malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 2 results

  1. Mac malware uses 'run-only' AppleScripts to evade analysis A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it. The malware is tracked as OSAMiner and has been in the wild since at least 2015. Yet, analyzing it is difficult because payloads are exported as run-only AppleScript files, which makes decompiling them into source code a tall order. A recently observed variant makes analyzing even more difficult as it embeds a run-only AppleScript into another scripts and uses URLs in public web pages to download the actual Monero miner. Reversing run-only AppleScript OSAMiner typically spreads via pirated copies of games and software, League of Legends and Microsoft Office for macOS being among the more popular examples. The malware has been researched in the past [1, 2] but the run-only AppleScript file hindered full analysis, limiting it to observing the behavior of the sample. AppleScript files include both the source and the compiled code but enabling "run-only" saves only the compiled version so the human-readable code is no longer available, thus removing the possibility of reverse engineering. Security researchers at Sentinel One discovered at the end of 2020 a new sample of OSAMiner that complicated "the already difficult process of analysis." However, they were able to reverse engineer some samples they collected by using a less-known AppleScript disassembler (Jinmo’s applescript-disassembler) and a decompiler tool developed internally called aevt_decompile. Evasion actions The recent OSAMiner campaigns use three run-only AppleScript files to deploy the mining process on the infected macOS machine, Sentinel One found: a parent script that executes from the trojanized application an embedded script the miner setup AppleScript The main role of the parent script is to write the embedded AppleScript to ~/Library/k.plist using a "do shell script" command and execute it. It also checks if the machine has enough free space and exits if there isn't sufficient storage. Other tasks it runs include collecting the serial number of the device, restarting the 'launchctl' job responsible for loading and unloading daemons or agents, and to kill the Terminal application. The researchers say that the main script also sets up a persistence agent and downloads the first stage of the miner from a URL set on a public page. Some samples may not lead to a live URL. However, Sentinel One was able to find an active one (https://www[.]emoneyspace[.]com/wodaywo) and noticed that the malware parsed a link in the source code of the page that pointed to a PNG image. This was the third run-only AppleScript, downloaded to the ~/Library/11.PNG. Its purpose is to download the open-source XMR-Stak Monero miner that works on Linux, Windows, and macOS. "The setup script includes pool address, password and other configuration information but no wallet address," the researchers say in a report today, adding that it also uses the "caffeinate" tool to prevent the machine from entering sleep mode. Evading detection According to Sentinel One, the second script is intended to prevent analysis and evade detection. Supporting this conclusion is killing the Activity Monitor, which is the equivalent of the Task Manager in Windows, likely to prevent users from checking the system's resource usage. Furthermore, the script is designed to kill processes belonging to popular tools for system monitoring and cleaning. It finds them by checking a hardcoded list. Sentinel One says that while AppleScript incorporates more powerful features [1, 2], the authors of OSAMiner are not currently taking advantage. This is likely because the current setup allowed them to run their cryptocurrency mining campaigns with little resistance from the security community. However, as Sentinel One proved, the technique is not infallible and researchers have the means to analyze it and prepare defenses against other malware that may choose to use it. Source: Mac malware uses 'run-only' AppleScripts to evade analysis
  2. Mac Malware 'XCSSET' Adapted for Devices With M1 Chips An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip. Apple unveiled its M1 system-on-chip in November 2020 and the first malware created specifically for systems with the arm64 CPU architecture used by the M1 was apparently created in December. This was a variant of Pirrit, a piece of adware that has been around for several years. A few days after the existence of this Pirrit variant came to light, managed detection and response firm Red Canary reported identifying a mysterious piece of Mac malware that had infected tens of thousands of devices around the world. This malware, named Silver Sparrow, also had a variant specifically designed for M1 systems. Kaspersky reported on Friday that it too has spotted a piece of malware with a variant compiled for devices with M1 chips, specifically a variant of the malware known as XCSSET. XCSSET is a mysterious piece of malware first detailed by Trend Micro and Mac security company Intego in August 2020. It does not appear to have been linked to any known threat group or activity, but a majority of infections spotted at the time were in China and India. The malware is designed to allow its operator to launch ransomware attacks (i.e. encrypt files and display a ransom note), and steal information from infected devices, including data associated with the Evernote, Skype, Notes, QQ, WeChat, and Telegram apps. It can also launch universal cross-site scripting (UXSS) attacks in an effort to inject arbitrary JavaScript code into the websites visited by the victim. This allows it to modify sites, including replacing cryptocurrency addresses, and phish credentials and payment card information. XCSSET spreads through code injected into projects for Xcode, Apple’s integrated development environment. The payload is executed when the project is built. Kaspersky has seen an XCSSET sample compiled for the arm64 architecture. This sample was uploaded to the VirusTotal malware analysis service on February 24, which has led the company’s researchers to believe that the campaign is likely still ongoing. Kaspersky noted that in many cases Mac malware is delivered in the Mach-O format, which includes the malicious code compiled for several architectures — depending on what type of device the malware lands on, the code corresponding to that architecture is executed. “With the new M1 chip, Apple has certainly pushed its performance and energy saving limits on Mac computers, but malware developers kept an eye on those innovations and quickly adapted their executables to Apple Silicon by porting the code to the ARM64 architecture,” Kaspersky researchers wrote in a blog post. They added, “We have observed various attempts to port executables not just among typical adware such as Pirrit or Bnodlero samples, but also among malicious packages, such as the Silver Sparrow threat and XCSSET downloadable malicious modules. This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.” Source: Mac Malware 'XCSSET' Adapted for Devices With M1 Chips
  • Create New...