macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .001 | 创建或修改系统进程: Launch Agent |
macOS.OSAMiner has placed a Stripped Payloads with a |
| Enterprise | T1059 | .002 | 命令与脚本解释器: AppleScript |
macOS.OSAMiner has used |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system's |
| Enterprise | T1027 | .008 | 混淆文件或信息: Stripped Payloads |
macOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection.[1] |
| .009 | 混淆文件或信息: Embedded Payloads |
macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
macOS.OSAMiner can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility |
|
| Enterprise | T1569 | .001 | 系统服务: Launchctl |
macOS.OSAMiner has used |
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
macOS.OSAMiner can parse the output of the native |
| Enterprise | T1105 | 输入工具传输 |
macOS.OSAMiner has used |
|
| Enterprise | T1057 | 进程发现 |
macOS.OSAMiner has used |
|