Uses a Launch Agent for persistence ( T1543.001)Īlso in January, SentinelLabs reported on OSAMiner, part of a campaign that had been in existence in various forms for at least five years and which appears to target primarily Chinese and Asian Mac users by installing a hidden Monero crypto miner.Attempts to hide as a system process ( T1564.001).Uses trojanized Crypto Trading applications.Cross-platform RAT malware written in Go.Applications/eTrader.app/Contents/Utils/mdworker Persistence is via a property list in the user’s LaunchAgents folder. The malicious mdworker binary is copied from the trojan bundle and written as a hidden file in the user’s home folder. The name was carefully chosen: “mdworker” is also the name of a legitimate system binary that powers the Mac’s Spotlight search functionality. The aim was to get cryptocurrency users to install a trojanized application for trading and managing cryptocurrency.Īll versions were built using Electron, and once the trojan app is installed and launched, a malicious background process called “mdworker” functions as the RAT, capable of keylogging, taking screenshots, executing shell commands, and uploading and downloading files. This was the first of an increasingly common-trend throughout 2021: cross-platform malware written in Go targeting macOS, Linux and Windows operating systems. In January 2021, Intezer reported on Operation ElectroRAT, a campaign that had been running throughout 2020 targeting cryptocurrency users. Top 10 In-the-Wild macOS Malware Discoveries 2021 Let’s take a look at what was unique for each one and the main points that defenders need to be aware of. In 2021 to-date, there have been ten new reported malware discoveries. While commodity adware is by far the most prevalent threat on macOS, most new malware families that emerged in 2021 focused on espionage and data theft.A continued reliance on using LaunchAgents as the primary persistence mechanism.An increasing interest in targeting macOS users in the East (China and Asia).A drive towards attacks on developers and other ‘high-value’ targets.macOS targeted in more cross-platform malware campaigns, with malware written in Go, Kotlin and Python observed.Summary of Key Trends Emerging During 2021Īs we will describe below, several things stand out about macOS malware in 2021. At the end of the post, we draw out the main lessons Mac admins and security teams can learn from this year’s crop of macOS malware to help them better protect their Mac fleets going into 2022. On top of that, you’ll find a breakdown of the essential behavior of each threat and links to deeper technical analyses. In particular, we hone in on what is unique about each malware discovery, who it targets and what its objectives are. This article continues to discuss new techniques used by the updated version of OSAMiner to prevent detection and other reports of attacks targeting macOS devices to plant cryptominers.As we approach the end of 2021, we take a look at the year’s main malware discoveries targeting the macOS platform with an emphasis on highlighting the changing tactics, techniques and procedures being employed by threat actors. ![]() These methods include a script to ensure the parent script's persistence, a parent script to kill running processes in a device, an anti-analysis AppleScript to perform tasks in support of evasion, a script that downloads the XMR-STAK-RX RandomX miner, and more. ![]() The researchers discovered that the malware uses multiple methods to execute the run-only AppleScript. In order to decompile the malware scripts, the researchers used a lesser-known AppleScript-dissembler project and a custom tool developed by Sentinel labs. OSAMiner uses run-only AppleScripts to make it more difficult for its code to be reverse-engineered. This malware now uses multiple versions of AppleScript, a scripting language used to automate macOS actions, to improve obfuscation. The latest version of OSAMiner uses new techniques to evade detection. According to Sentinel Labs, OSAMiner has been active since 2015, spreading through compromised video games like League of Legends, and hacked versions of software packages such as Microsoft Office for macOS. ![]() Researchers at Sentinel Labs have identified an updated version of OSAMiner, the cryptominer that targets the Mac operating system to mine Monero.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |