An effort to reverse-engineer malicious AppleScript has led to the creation of a tool to analyze run-only malware targeting the Mac operating system, undermining a common attacker approach to obfuscating code on the platform.
Cybersecurity firm SentinelOne created the tool, known as the Apple Event (AEVT) decompiler, to analyze a cryptominer campaign that used AppleScript to automated four different stages of the infection chain: a persistence agent, a main script, an anti-analysis script, and a setup script. The AppleScripts used to automate each task were compiled as run-only code, which removes much of the contextual signposts used by static analysis, the SentinelOne analysis states.
The lack of defensive expertise in dealing with malicious AppleScript has allowed attackers to get away with using it without pushback from defenders, says Phil Stokes, a threat researcher with the company.
"Although this miner was seen in the past, it received virtually no attention, and that was largely because researchers were unable to do static analysis on it," he says. "Since then the malware has continued to infect and develop without hindrance."
While Mac users have encountered more threats on a per-device basis than Windows users in the past year, nearly all attacks are either adware or a potentially unwanted program, such as a cryptominer. Yet ordinary AppleScript is increasingly used by malware targeting the MacOS, and run-only compiled AppleScript is becoming more popular, SentinelOne stated in its analysis, published today.
Attackers targeting Mac developers, for example, used run-only AppleScript in the XCSSET malware that used Trojan Xcode projects to compromise developers' systems. Another malware family, GravityRAT, used AppleScript as part of its infection chain but does not compile it as run-only, Stokes says.
OSAMiner, the program analyzed by SentinelOne researchers using the new AEVT decompiler, has likely escaped notice because of its ability to evade analysis using run-only AppleScripts, he says. The OSAMiner campaign has likely existed for at least five years, he says.
"In late 2020, we discovered that the malware authors, presumably building on their earlier success in evading full analysis, had continued to develop and evolve their techniques," SentinelOne researchers stated in the blog post. "Recent versions of macOS.OSAMiner add greater complexity by embedding one run-only AppleScript inside another, further complicating the already difficult process of analysis."
Almost three decades old, AppleScript predates Apple's move to a Unix-like operating system that underpins the modern Mac OS. The scripting language allows programs to automate tasks on the operating system using a more natural language, but the resulting syntax is often complicated and nonintuitive.
When compiled into a run-only program, AppleScript deletes the source code and information on variables, instead only keeping the internal tokens used by the program itself, which results in obfuscated code. While AppleScript is not commonly used by programmers, threat actors have increasingly adopted it for automating attack chains on Mac OS, says Stokes.
"As it turns out, automating inter-application communication and sidestepping user interaction is a godsend for malware authors," he stated in a March blog post. "What could be more useful than bending popular applications like email clients, web browsers and the Microsoft Office suite to your will without needing to involve the user — aka, in this scenario, the victim?"
SentinelOne's tool builds on a previous project created by a South Korean developer, who created a Python disassembler after reverse-engineering the AppleScript binary. The company's tools takes the disassembled code and translates it into AppleScript source code for easier reading.
The creation of a tool to make AppleScript more analyzable should allow reverse engineers and malware researchers to gain more insight into what attackers are doing, says SentinelOne's Stokes.
"We've made significant progress getting past that hurdle, not just for this malware, but any future run-only AS malware, too, and that's the primary value of what we're publishing today," he says. "It'll be much harder for actors that want to hide behind run-only AppleScripts to hide their code from analysts from now on."
Attackers continue to find ways to get around Apple's security measures, yet they will only do as much work as necessary to compromise a systems, says Stokes.
"Threat actors are clearly responding to Apple's attempts to lockdown the Mac," he says. "But in comparison to Windows malware, and comparing to what's possible to do on a Mac but isn't seen in the wild, Mac malware remains only as sophisticated as it needs to be to work and not as sophisticated as it could be."