Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:55 PM

New Tool Sheds Light on AppleScript-Obfuscated Malware

The AEVT decompiler helped researchers analyze a cryptominer campaign that used AppleScript for obfuscation and will help reverse engineers focused on other Mac OS malware.

An effort to reverse-engineer malicious AppleScript has led to the creation of a tool to analyze run-only malware targeting the Mac operating system, undermining a common attacker approach to obfuscating code on the platform.

Cybersecurity firm SentinelOne created the tool, known as the Apple Event (AEVT) decompiler, to analyze a cryptominer campaign that used AppleScript to automated four different stages of the infection chain: a persistence agent, a main script, an anti-analysis script, and a setup script. The AppleScripts used to automate each task were compiled as run-only code, which removes much of the contextual signposts used by static analysis, the SentinelOne analysis states.

Related Content:

Mac Attackers Remain Focused Mainly on Adware, Fooling Users

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

The lack of defensive expertise in dealing with malicious AppleScript has allowed attackers to get away with using it without pushback from defenders, says Phil Stokes, a threat researcher with the company.

"Although this miner was seen in the past, it received virtually no attention, and that was largely because researchers were unable to do static analysis on it," he says. "Since then the malware has continued to infect and develop without hindrance."

While Mac users have encountered more threats on a per-device basis than Windows users in the past year, nearly all attacks are either adware or a potentially unwanted program, such as a cryptominer. Yet ordinary AppleScript is increasingly used by malware targeting the MacOS, and run-only compiled AppleScript is becoming more popular, SentinelOne stated in its analysis, published today. 

Attackers targeting Mac developers, for example, used run-only AppleScript in the XCSSET malware that used Trojan Xcode projects to compromise developers' systems. Another malware family, GravityRAT, used AppleScript as part of its infection chain but does not compile it as run-only, Stokes says.

OSAMiner, the program analyzed by SentinelOne researchers using the new AEVT decompiler, has likely escaped notice because of its ability to evade analysis using run-only AppleScripts, he says. The OSAMiner campaign has likely existed for at least five years, he says.

"In late 2020, we discovered that the malware authors, presumably building on their earlier success in evading full analysis, had continued to develop and evolve their techniques," SentinelOne researchers stated in the blog post. "Recent versions of macOS.OSAMiner add greater complexity by embedding one run-only AppleScript inside another, further complicating the already difficult process of analysis."

Almost three decades old, AppleScript predates Apple's move to a Unix-like operating system that underpins the modern Mac OS. The scripting language allows programs to automate tasks on the operating system using a more natural language, but the resulting syntax is often complicated and nonintuitive. 

When compiled into a run-only program, AppleScript deletes the source code and information on variables, instead only keeping the internal tokens used by the program itself, which results in obfuscated code. While AppleScript is not commonly used by programmers, threat actors have increasingly adopted it for automating attack chains on Mac OS, says Stokes.

"As it turns out, automating inter-application communication and sidestepping user interaction is a godsend for malware authors," he stated in a March blog post. "What could be more useful than bending popular applications like email clients, web browsers and the Microsoft Office suite to your will without needing to involve the user — aka, in this scenario, the victim?"

SentinelOne's tool builds on a previous project created by a South Korean developer, who created a Python disassembler after reverse-engineering the AppleScript binary. The company's tools takes the disassembled code and translates it into AppleScript source code for easier reading.

The creation of a tool to make AppleScript more analyzable should allow reverse engineers and malware researchers to gain more insight into what attackers are doing, says SentinelOne's Stokes.

"We've made significant progress getting past that hurdle, not just for this malware, but any future run-only AS malware, too, and that's the primary value of what we're publishing today," he says. "It'll be much harder for actors that want to hide behind run-only AppleScripts to hide their code from analysts from now on."

Attackers continue to find ways to get around Apple's security measures, yet they will only do as much work as necessary to compromise a systems, says Stokes.

"Threat actors are clearly responding to Apple's attempts to lockdown the Mac," he says. "But in comparison to Windows malware, and comparing to what's possible to do on a Mac but isn't seen in the wild, Mac malware remains only as sophisticated as it needs to be to work and not as sophisticated as it could be."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-04
An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running proce...
PUBLISHED: 2021-03-04
An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality.
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.