Cryptocurrency Miner Has Been Attacking MacOS Users For Over 5 years

MacOS computers have long been used by fraudsters for hidden cryptocurrency mining. For five years, OSAMiner managed to evade detection, cybersecurity experts at SentinelOne said.

The malware, dubbed OSAMiner, reportedly appeared on the network no later than 2015. It was distributed disguised in pirated (hacked) games and other software products, including League of Legends and Microsoft Office for Mac.

Geographically, OSAMiner is reportedly primarily focused on China and the Asia-Pacific region. His activity there did not go completely unnoticed: in August and September 2018, two Chinese firms discovered and analyzed old versions of OSAMiner. But their reports did not give a full picture of the capabilities of OSAMiner, said Phil Stokes, macOS malware researcher at SentinelOne.

Research conducted at SentinelOne has revealed the root cause of these difficulties. As it turns out, OSAMiner loads its code piece by piece using AppleScript compound files with run-only status. The run-only option allows you to run the AppleScript control script as an application without entering edit mode and thus hide its source code.

Stokes and the SentinelOne team hope that by publishing the full chain of this attack, along with indicators of compromise (IOCs) for older and newer versions of OSAMiner, macOS security vendors can help them detect and protect macOS users from such attacks.

Previous Post Next Post