Cybersecurity startup SentinelOne recently uncovered the existence of OSAMiner, a malware that has been operating in macOS since around 2015, reported ZDNet. The malware is distributed through pirated applications and is mostly observed in Asia.
OSAMiner, which infects victim systems and uses them to mine cryptocurrency undiscovered, “has been active for a long time and has evolved in recent months,” according to a SentinelOne spokesperson via an email interview with ZDNet.
It also appears to be more active in Chinese and Asia-Pacific communities, added the spokesperson.
While SentinelOne has only recently discovered the malware, the firm noted that two Chinese security companies have reported older versions of it a few years prior.
SentinelOne researcher for macOS malware Phil Stokes reveals that in August and September 2018, the firms have identified and evaluated OSAMiner, but were only able to uncover a small portion of what it can do.
Stokes explained that the researchers from the said firms were not able to access the malware’s entire code, which has been hidden under layers of run-only AppleScript files.
The malicious software embeds itself in the system through a series of scripts, with the process being triggered by the installation of infected pirated programs.
It is important to note that this method of infection poses various challenges because the source code is not human-readable. Researchers are forced to use other tools to analyze the code.
Stokes further explained, “Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis.”
The use of AppleScript, while rare, remains to be a vulnerability for macOS users, according to Stokes. Moreover, this attack vector can be difficult to discover because of the rarity of its use and because many defensive programs are not equipped to handle such attacks.
So far, PC Risk has noted some antivirus programs that detect OSAMiner including Avast which identifies it as MacOS:Agent- JE [Trj], ESET (OSX/OSAMiner.C), Ikarus (Trojan.OSX.Osaminer), McAfee (Artemis), Symantec (OSC.Trojan.Gen), ZoneAlarm by Check Point (Trojan-Downloader.OSX.Chiner.d), and AhnLab-V3 (Trojan/OSX.Agent4328).
Some symptoms of infection include high CPU usage, system freezes, and issues with Activity Monitor. Damages can come in the form of high power bills, unsaved data loss, hardware overhear, and a significant decrease in performance.
