Apple macOS had a ‘OSAMiner’ malware active for five years and successfully evaded detection by using run-only AppleScripts, reveals security report

Apple macOS OSAMiner
Apple macOS had OSAMiner crypto-mining malware. Pic credit: StockSnap/Pixabay

Apple PCs, running macOS operating system, were, and still are, vulnerable to a sophisticated malware campaign. Experts strongly believe the sneaky macOS.OSAMiner or OSAMiner has been successfully exploiting Mac PCs for as many as five years.

Distributed through pirated software, the OSAMiner has been stealthily exploiting the computer processing resources for at least five years. The primary purpose of the Apple macOS malware was to mine cryptocurrency.

 OSAMiner sneaked in through pirated software and ran cryptocurrency mining clandestinely for five years:

Apple macOS, the primary operating system for Apple Computers, known as Macs, was the target of OSAMiner. It used a clever trick to avoid detection.

The OSAMiner hijacked the hardware resources of infected users to mine cryptocurrency. The creators of the malware used processes that were specifically designed to evade detection and analysis by security researchers.

According to security researchers, the OSAMiner malware was distributed inside pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac. The distribution is active since at least 2015, indicated security firm SentinelOne in a report published this week.

“OSAMiner has been active for a long time and has evolved in recent months. From what data we have it appears to be mostly targeted at Chinese/Asia-Pacific communities.”

Incidentally, security researchers weren’t able to retrieve the malware’s entire code when they had sensed its activities back in 2018. This was because the malware used nested run-only AppleScript files to retrieve its malicious code across different stages.

AppleScripts arrive in a compiled state. Hence these are essentially “run-only”. In other words, the source code isn’t human-readable. Although a heightened security measure, this makes analysis a lot harder for external or third-party security researchers.

How did the malware infect and spread on an Apple macOS computer?

As mentioned earlier, the OSAMiner malware creators depended heavily on the distribution, download, and widespread use of illegally obtained and cracked software. As piracy is common in Southeast Asia, the malware was quite active in these regions.

It seems the creators of the malware obtained different variants of pirated software and injected the malware inside. Incidentally, the malware’s initial size was quite small. This was intentional to evade detection.

As users installed the pirated software, the malware installer would silently download and run a run-only AppleScript. This script would silently download and run a second run-only AppleScript, and then another final third run-only AppleScript. Apparently, the third AppleScript contained the actual OSAMiner malware or “payload”.

SentinelOne macOS malware researcher Phil Stokes has published a detailed report. It reveals the full-chain of this attack, along with Indicators Of Compromise (IOCs) of past and newer OSAMiner campaigns. However, it is quite clear that using pirated software will ensure the malware continues to have vulnerable Apple macOS computers.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x