Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:55 PM

New Tool Sheds Light on AppleScript-Obfuscated Malware

The AEVT decompiler helped researchers analyze a cryptominer campaign that used AppleScript for obfuscation and will help reverse engineers focused on other Mac OS malware.

An effort to reverse-engineer malicious AppleScript has led to the creation of a tool to analyze run-only malware targeting the Mac operating system, undermining a common attacker approach to obfuscating code on the platform.

Cybersecurity firm SentinelOne created the tool, known as the Apple Event (AEVT) decompiler, to analyze a cryptominer campaign that used AppleScript to automated four different stages of the infection chain: a persistence agent, a main script, an anti-analysis script, and a setup script. The AppleScripts used to automate each task were compiled as run-only code, which removes much of the contextual signposts used by static analysis, the SentinelOne analysis states.

Related Content:

Mac Attackers Remain Focused Mainly on Adware, Fooling Users

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

The lack of defensive expertise in dealing with malicious AppleScript has allowed attackers to get away with using it without pushback from defenders, says Phil Stokes, a threat researcher with the company.

"Although this miner was seen in the past, it received virtually no attention, and that was largely because researchers were unable to do static analysis on it," he says. "Since then the malware has continued to infect and develop without hindrance."

While Mac users have encountered more threats on a per-device basis than Windows users in the past year, nearly all attacks are either adware or a potentially unwanted program, such as a cryptominer. Yet ordinary AppleScript is increasingly used by malware targeting the MacOS, and run-only compiled AppleScript is becoming more popular, SentinelOne stated in its analysis, published today. 

Attackers targeting Mac developers, for example, used run-only AppleScript in the XCSSET malware that used Trojan Xcode projects to compromise developers' systems. Another malware family, GravityRAT, used AppleScript as part of its infection chain but does not compile it as run-only, Stokes says.

OSAMiner, the program analyzed by SentinelOne researchers using the new AEVT decompiler, has likely escaped notice because of its ability to evade analysis using run-only AppleScripts, he says. The OSAMiner campaign has likely existed for at least five years, he says.

"In late 2020, we discovered that the malware authors, presumably building on their earlier success in evading full analysis, had continued to develop and evolve their techniques," SentinelOne researchers stated in the blog post. "Recent versions of macOS.OSAMiner add greater complexity by embedding one run-only AppleScript inside another, further complicating the already difficult process of analysis."

Almost three decades old, AppleScript predates Apple's move to a Unix-like operating system that underpins the modern Mac OS. The scripting language allows programs to automate tasks on the operating system using a more natural language, but the resulting syntax is often complicated and nonintuitive. 

When compiled into a run-only program, AppleScript deletes the source code and information on variables, instead only keeping the internal tokens used by the program itself, which results in obfuscated code. While AppleScript is not commonly used by programmers, threat actors have increasingly adopted it for automating attack chains on Mac OS, says Stokes.

"As it turns out, automating inter-application communication and sidestepping user interaction is a godsend for malware authors," he stated in a March blog post. "What could be more useful than bending popular applications like email clients, web browsers and the Microsoft Office suite to your will without needing to involve the user — aka, in this scenario, the victim?"

SentinelOne's tool builds on a previous project created by a South Korean developer, who created a Python disassembler after reverse-engineering the AppleScript binary. The company's tools takes the disassembled code and translates it into AppleScript source code for easier reading.

The creation of a tool to make AppleScript more analyzable should allow reverse engineers and malware researchers to gain more insight into what attackers are doing, says SentinelOne's Stokes.

"We've made significant progress getting past that hurdle, not just for this malware, but any future run-only AS malware, too, and that's the primary value of what we're publishing today," he says. "It'll be much harder for actors that want to hide behind run-only AppleScripts to hide their code from analysts from now on."

Attackers continue to find ways to get around Apple's security measures, yet they will only do as much work as necessary to compromise a systems, says Stokes.

"Threat actors are clearly responding to Apple's attempts to lockdown the Mac," he says. "But in comparison to Windows malware, and comparing to what's possible to do on a Mac but isn't seen in the wild, Mac malware remains only as sophisticated as it needs to be to work and not as sophisticated as it could be."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.