Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:55 PM

New Tool Sheds Light on AppleScript-Obfuscated Malware

The AEVT decompiler helped researchers analyze a cryptominer campaign that used AppleScript for obfuscation and will help reverse engineers focused on other Mac OS malware.

An effort to reverse-engineer malicious AppleScript has led to the creation of a tool to analyze run-only malware targeting the Mac operating system, undermining a common attacker approach to obfuscating code on the platform.

Cybersecurity firm SentinelOne created the tool, known as the Apple Event (AEVT) decompiler, to analyze a cryptominer campaign that used AppleScript to automated four different stages of the infection chain: a persistence agent, a main script, an anti-analysis script, and a setup script. The AppleScripts used to automate each task were compiled as run-only code, which removes much of the contextual signposts used by static analysis, the SentinelOne analysis states.

Related Content:

Mac Attackers Remain Focused Mainly on Adware, Fooling Users

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

The lack of defensive expertise in dealing with malicious AppleScript has allowed attackers to get away with using it without pushback from defenders, says Phil Stokes, a threat researcher with the company.

"Although this miner was seen in the past, it received virtually no attention, and that was largely because researchers were unable to do static analysis on it," he says. "Since then the malware has continued to infect and develop without hindrance."

While Mac users have encountered more threats on a per-device basis than Windows users in the past year, nearly all attacks are either adware or a potentially unwanted program, such as a cryptominer. Yet ordinary AppleScript is increasingly used by malware targeting the MacOS, and run-only compiled AppleScript is becoming more popular, SentinelOne stated in its analysis, published today. 

Attackers targeting Mac developers, for example, used run-only AppleScript in the XCSSET malware that used Trojan Xcode projects to compromise developers' systems. Another malware family, GravityRAT, used AppleScript as part of its infection chain but does not compile it as run-only, Stokes says.

OSAMiner, the program analyzed by SentinelOne researchers using the new AEVT decompiler, has likely escaped notice because of its ability to evade analysis using run-only AppleScripts, he says. The OSAMiner campaign has likely existed for at least five years, he says.

"In late 2020, we discovered that the malware authors, presumably building on their earlier success in evading full analysis, had continued to develop and evolve their techniques," SentinelOne researchers stated in the blog post. "Recent versions of macOS.OSAMiner add greater complexity by embedding one run-only AppleScript inside another, further complicating the already difficult process of analysis."

Almost three decades old, AppleScript predates Apple's move to a Unix-like operating system that underpins the modern Mac OS. The scripting language allows programs to automate tasks on the operating system using a more natural language, but the resulting syntax is often complicated and nonintuitive. 

When compiled into a run-only program, AppleScript deletes the source code and information on variables, instead only keeping the internal tokens used by the program itself, which results in obfuscated code. While AppleScript is not commonly used by programmers, threat actors have increasingly adopted it for automating attack chains on Mac OS, says Stokes.

"As it turns out, automating inter-application communication and sidestepping user interaction is a godsend for malware authors," he stated in a March blog post. "What could be more useful than bending popular applications like email clients, web browsers and the Microsoft Office suite to your will without needing to involve the user — aka, in this scenario, the victim?"

SentinelOne's tool builds on a previous project created by a South Korean developer, who created a Python disassembler after reverse-engineering the AppleScript binary. The company's tools takes the disassembled code and translates it into AppleScript source code for easier reading.

The creation of a tool to make AppleScript more analyzable should allow reverse engineers and malware researchers to gain more insight into what attackers are doing, says SentinelOne's Stokes.

"We've made significant progress getting past that hurdle, not just for this malware, but any future run-only AS malware, too, and that's the primary value of what we're publishing today," he says. "It'll be much harder for actors that want to hide behind run-only AppleScripts to hide their code from analysts from now on."

Attackers continue to find ways to get around Apple's security measures, yet they will only do as much work as necessary to compromise a systems, says Stokes.

"Threat actors are clearly responding to Apple's attempts to lockdown the Mac," he says. "But in comparison to Windows malware, and comparing to what's possible to do on a Mac but isn't seen in the wild, Mac malware remains only as sophisticated as it needs to be to work and not as sophisticated as it could be."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...