Skip to content

S1048 macOS.OSAMiner

macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.12

Item Value
ID S1048
Associated Names
Version 1.0
Created 04 October 2022
Last Modified 19 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.002 AppleScript macOS.OSAMiner has used osascript to call itself via the do shell script command in the Launch Agent .plist file.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent macOS.OSAMiner has placed a Stripped Payloads with a plist extension in the Launch Agent‘s folder. 1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system’s install.log for apps matching its hardcoded list, killing all matching process names.1
enterprise T1105 Ingress Tool Transfer macOS.OSAMiner has used curl to download a Stripped Payloads from a public facing adversary-controlled webpage.
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.008 Stripped Payloads macOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection.1
enterprise T1027.009 Embedded Payloads macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.1
enterprise T1057 Process Discovery macOS.OSAMiner has used ps ax | grep <name> | grep -v grep | ... and ps ax | grep -E... to conduct process discovery.1
enterprise T1082 System Information Discovery macOS.OSAMiner can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility df.1
enterprise T1569 System Services -
enterprise T1569.001 Launchctl macOS.OSAMiner has used launchctl to restart the Launch Agent.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks macOS.OSAMiner can parse the output of the native system_profiler tool to determine if the machine is running with 4 cores.1