Acronis Cyber Protect is not affected by this functionality and will keep you protected. Specifically, the Activity Monitor app, and common anti-malware applications are killed using this function. While the encode and decode functions from the parent file are present, as is the nameless 'main' function, one of the most notable changes is the 'kPro' function, which is there to kill processes.
#Malware used runonly avoid for five code
SHA-256: df550039acad9e637c7c3ec2a629abf8b3f35faca18e58d447f490cf23f114e8 OSAMiner - code capture 2Īt this point, we have everything we need to review the embedded run-only AppleScript, which is the newest change to OSAMiner.
#Malware used runonly avoid for five full
This logic has been utilized in a decompiler that allows a final full review of the files used in this malware. It is called several times throughout the script, and is used to deobfuscate hex strings throughout the script. One of the most interesting functions found right away is the decoding function built into the script. Now that we have both the parent script and the embedded script, we can work on disassembling them, to see what each does. This is a new trick for OSAMiner, compared to previous versions we have seen, and makes automated analysis of the malware even more difficult.
That, combined with the knowledge of Apple's magic strings at the beginning and end of an AppleScript, allow us to identify the second run-only AppleScript hidden in this file. This file is a little more difficult to analyze, however, a little digging will uncover some hex code in this file. This line is using do shell script to call the com.apple.4V.plist script in the ~/Library/LaunchAgents/ directory.Īs it turns out, com.apple.4V.plist is not a Property List file, but a run-only AppleScript file. However, line 13 is what is especially interesting in this script, because it starts us down the path to truly analyzing this malware. The repeated use of osascript is highly unusual, which draws attention here, and also gives us the name OSAMiner as this is using Open Scripting Architecture scripts to accomplish its goals. The array in lines 10-14 is very telling. This file is simple, but gives away a key file used in these cryptojacking attacks. plist file extension, only one is a legitimate Property List file, so we'll start there. While several of the files associated with OSAMiner are Property List files, with the.
Analysis of the Embedded Run-Only AppleScript
0 kommentar(er)
