An AppleScript feature designed to compress scripts into pre-compiled form has allowed bad actors to evade security researchers for years. This cryptominer Trojan spread unchecked for some five years.
So-called run-only scripts—what we might today call “bytecode”—are poorly documented and difficult to analyze. So it’s hard to extract indicators of compromise out of malware obfuscated by them.
What can DevOps learn from this? In this week’s Security Blogwatch, we learn lessons (not “learnings”).
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: What everyone really wants.
Legacy bites Apple
What’s the craic? Ionut Ilascu reports—Mac malware uses 'run-only' AppleScripts to evade analysis:
A cryptocurrency mining campaign … is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it. [It] has been in the wild since at least 2015. Yet analyzing it is difficult because … it embeds a run-only AppleScript into another script and uses URLs in public web pages to download the actual … payloads.
…
Run-only AppleScript … makes decompiling them into source code a tall order. … Security researchers at SentinelOne … were able to reverse engineer some samples they collected by using a lesser-known AppleScript disassembler (Jinmo’s applescript-disassembler) and a decompiler tool developed internally.
And Catalin Cimpanu adds—macOS malware used run-only AppleScripts to avoid detection for five years:
A sneaky malware operation … used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. Named OSAMiner, the malware has been distributed in the wild since at least 2015.
…
"OSAMiner has been active for a long time and has evolved in recent months," a SentinelOne spokesperson [said]. "It appears to be mostly targeted at Chinese/Asia-Pacific communities."
…
As users installed the [Trojan] software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript.
Is it hot in here? Phil Stokes the fire—Adventures in Reversing Malicious Run-Only AppleScripts:
OSAMiner is a cryptominer campaign that has resisted full researcher analysis for at least five years. … One of the nice things about AppleScript is not only does it have a magic [number] at the beginning of an AppleScript file it also has one to mark the end of the script: … fa de de ad or FADE DEAD.
…
Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign … shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis. In this case, we have not seen the actor use any of the more powerful features of AppleScript … but that is an attack vector that remains wide open and which many defensive tools are not equipped to handle. In the event that other threat actors begin picking up on the utility of … run-only AppleScripts, we hope this research and the tools discussed above will prove to be of use to analysts.
Hashes and IoCs [click above to read more].
But this Anonymous Coward thinks Phil is hyping it up a bit:
applescript-disassembler has been around for at least four years and it's just one "run only AppleScript" disassembler.
However, nneonneo has more nuance
"Run-only" AppleScript is compiled to a bytecode format that is very poorly documented. … I can't be too surprised that run-only AppleScript ended up as a good malware vector: It's so poorly documented, and there are so few tools to understand it, that it could easily fly under the radar.
Trojans gonna … Troje? 93 Escort Wagon drives it home:
Sounds like if you haven't been pirating software, you don't have to worry about it.
This is Sparta. Push the button, numpad0:
There are people who actively avoid official distribution, thinking … anything should come through a middle man. Diversity is weird.
Wait. Pause. What the heck is a run-only script? Is that like write-only memory? CaptQuark leads a charmed life: [You’re fired—Ed.]
"Run Only" just means it has been processed into a compacted version of the program that isn't easy to edit. It wasn't meant to be easy to read, understand, or edit, thus the name "run only." They could have named it AppleScript Bytecode if you think that's a better phrase.
Oh. I see. Yes, that is a weird moniker. And jandrese agrees:
I thought there was some kind of weird Apple permission thing where you could mark a binary as unreadable but somehow could still be run to evade malware detection. But it seems like this technical article author is just unfamiliar with the concept of compiling.
Meanwhile, what is with wtfiswiththis?
Anyone remember the "Macs don't need antivirus" answer on Apple's FAQ from years ago?
The moral of the story?
What undebuggable, badly documented legacy is hiding in your platform? How could it be misused?
And finally
We all possess this superpower
Trigger warnings: 15th-century painted genitalia, primordial and basic insights, deep truths.
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Julian Hochgesang (via Unsplash)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
