Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:55 PM

New Tool Sheds Light on AppleScript-Obfuscated Malware

The AEVT decompiler helped researchers analyze a cryptominer campaign that used AppleScript for obfuscation and will help reverse engineers focused on other Mac OS malware.

An effort to reverse-engineer malicious AppleScript has led to the creation of a tool to analyze run-only malware targeting the Mac operating system, undermining a common attacker approach to obfuscating code on the platform.

Cybersecurity firm SentinelOne created the tool, known as the Apple Event (AEVT) decompiler, to analyze a cryptominer campaign that used AppleScript to automated four different stages of the infection chain: a persistence agent, a main script, an anti-analysis script, and a setup script. The AppleScripts used to automate each task were compiled as run-only code, which removes much of the contextual signposts used by static analysis, the SentinelOne analysis states.

Related Content:

Mac Attackers Remain Focused Mainly on Adware, Fooling Users

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

The lack of defensive expertise in dealing with malicious AppleScript has allowed attackers to get away with using it without pushback from defenders, says Phil Stokes, a threat researcher with the company.

"Although this miner was seen in the past, it received virtually no attention, and that was largely because researchers were unable to do static analysis on it," he says. "Since then the malware has continued to infect and develop without hindrance."

While Mac users have encountered more threats on a per-device basis than Windows users in the past year, nearly all attacks are either adware or a potentially unwanted program, such as a cryptominer. Yet ordinary AppleScript is increasingly used by malware targeting the MacOS, and run-only compiled AppleScript is becoming more popular, SentinelOne stated in its analysis, published today. 

Attackers targeting Mac developers, for example, used run-only AppleScript in the XCSSET malware that used Trojan Xcode projects to compromise developers' systems. Another malware family, GravityRAT, used AppleScript as part of its infection chain but does not compile it as run-only, Stokes says.

OSAMiner, the program analyzed by SentinelOne researchers using the new AEVT decompiler, has likely escaped notice because of its ability to evade analysis using run-only AppleScripts, he says. The OSAMiner campaign has likely existed for at least five years, he says.

"In late 2020, we discovered that the malware authors, presumably building on their earlier success in evading full analysis, had continued to develop and evolve their techniques," SentinelOne researchers stated in the blog post. "Recent versions of macOS.OSAMiner add greater complexity by embedding one run-only AppleScript inside another, further complicating the already difficult process of analysis."

Almost three decades old, AppleScript predates Apple's move to a Unix-like operating system that underpins the modern Mac OS. The scripting language allows programs to automate tasks on the operating system using a more natural language, but the resulting syntax is often complicated and nonintuitive. 

When compiled into a run-only program, AppleScript deletes the source code and information on variables, instead only keeping the internal tokens used by the program itself, which results in obfuscated code. While AppleScript is not commonly used by programmers, threat actors have increasingly adopted it for automating attack chains on Mac OS, says Stokes.

"As it turns out, automating inter-application communication and sidestepping user interaction is a godsend for malware authors," he stated in a March blog post. "What could be more useful than bending popular applications like email clients, web browsers and the Microsoft Office suite to your will without needing to involve the user — aka, in this scenario, the victim?"

SentinelOne's tool builds on a previous project created by a South Korean developer, who created a Python disassembler after reverse-engineering the AppleScript binary. The company's tools takes the disassembled code and translates it into AppleScript source code for easier reading.

The creation of a tool to make AppleScript more analyzable should allow reverse engineers and malware researchers to gain more insight into what attackers are doing, says SentinelOne's Stokes.

"We've made significant progress getting past that hurdle, not just for this malware, but any future run-only AS malware, too, and that's the primary value of what we're publishing today," he says. "It'll be much harder for actors that want to hide behind run-only AppleScripts to hide their code from analysts from now on."

Attackers continue to find ways to get around Apple's security measures, yet they will only do as much work as necessary to compromise a systems, says Stokes.

"Threat actors are clearly responding to Apple's attempts to lockdown the Mac," he says. "But in comparison to Windows malware, and comparing to what's possible to do on a Mac but isn't seen in the wild, Mac malware remains only as sophisticated as it needs to be to work and not as sophisticated as it could be."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...