Malware Analysis Spotlight: OSAMiner Uses Run-Only AppleScripts to Evade Detection

Jan 14th 2021

This week the team at SentinelLabs released an in-depth analysis of macOS.OSAMiner, a Monero mining trojan infecting macOS users since 2015. The authors of macOS.OSAMiner used run-only AppleScripts which made attempts at further analysis more difficult.

In 2020, the SentinelLabs Team discovered that the malware authors were evolving their evasion techniques, adding more complexity by embedding one run-only AppleScript inside another. We analyzed one of the latest samples “com.apple.4V.plist” using VMRay Analyzer. In this Malware Analysis Spotlight, we will showcase the key behaviors identified during the dynamic analysis.

Note, at the time of analysis this sample of OSAMiner had a 2/60 detection rate on VirusTotal.

 

OSAMiner Analysis

The “com.apple.4V.plist” file is placed in ~/Library/LaunchAgents by the original dropper and disguised as a Property list configuration file (PLIST) while it is in fact a compiled AppleScript.

Straight away, we see that a number of VMRay Threat Identifier (VTI) rules hit and the sample is classified as malicious. From the Overview Tab, we can see the main behaviors of the sample including network connectivity, file dropping behavior, and system information gathering. Now we can dig deeper into each of these characteristics.

 

macOS.OSAMINER - VTI rules

 

The Network Tab shows multiple C2 connections. The first request to budaybu100001[.]com:8080 returns the second-stage URL embedded in the string “-=-=-=” as a marker. Interestingly, there are two URLs that were returned. The second one might be a fallback or used by another variant of the family.

 

macOS.OSAMINER - Network tab

macOS.OSAMINER - Hex Dump

 

The second stage is another compiled AppleScript stored at ~/Library/11.png. All downloads are performed using curl which is clearly visible in the Behavior Tab. The second stage is again executed using “osascript” and has two main tasks:

  1. Download and extract the third stage mining payload
  2. Write the mining configuration (pools.txt, config.txt, cpu.txt)

 

macOS.OSAMINER - Second Stage_curl

macOS.OSAMINER - Mining Configuration

 

The third stage is a zip file containing two dynamic libraries (dylibs) and finally a Mach-O binary, again disguised as a PLIST which can be clearly seen in the Files Tab.

 

macOS.OSAMINER - Dynamic Libraries (Dylibs)

macOS.OSAMINER - Mach-O binary

 

In addition, the second stage uses the system tool “caffeinate” to prevent the machine from going to sleep while the first stage will continuously query the running processes for common AV programs using the ps command:

sh -c ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'

All of these actions are performed using sub-processes so they can be observed in the process graph and process overview.

 

macOS.OSAMINER - Process Overview

macOS.OSAMiner - Process Graph (2)

 

As we can see, this sample uses a different kind of evasion, using a rather uncommon file type, a compiled AppleScript, disguised as a PLIST file. This file type won’t have a problem running on a victim’s machine but it is difficult for security teams to analyze because of the inherent obfuscation and limited tooling available.

Running the sample in VMRay gives analysts an immediate view into the key behaviors, characteristics, and IOCs. Within 2 minutes of analysis time, analysts can see a majority of the sample’s behavior, compared to hours of manual reverse engineering. And for deeper analysis, the second and third stages are visible and available from the VMRay Analyzer Report.

 

IOCs

Sample
com.apple.4V.plist

df550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8

Second Stage
~/Library/11.png

ff9fa2ee1d42cbde7307c10907470e4950db5085d9cb43c3ade118da9bfe35c3

Third Stage
~/Library/Caches/com.apple.l0/ssl4.plist

97febb1aa15ad7b1c321f056f7164526eb698297e0fea0c23bd127498ba3e9bb

AV Detection Script embedded in First Stage
~/Library/k.plist

0cc04703ae218b0217e1b025de60cec82087e0774eb59b984419949cee5c2173

Contacted URLs

hxxp://www.budaybu100001[.]com:8080
hxxp://budaybu[.]com:8080/budaybu.png
hxxp://ondayon[.]com:8080/ondayon.png (possibly backup URL)
hxxp://budaybu[.]com:8080/ssl.zip
budaybu[.]com:8888 (mining pool address)

List of Queried Processes 

360
Keeper
MacMgr
Lemon
Malware
Avast
Avira
CleanMyMac