S1048 macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.12
| Item | Value |
|---|---|
| ID | S1048 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 October 2022 |
| Last Modified | 19 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.002 | AppleScript | macOS.OSAMiner has used osascript to call itself via the do shell script command in the Launch Agent .plist file.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | macOS.OSAMiner has placed a Stripped Payloads with a plist extension in the Launch Agent‘s folder. 1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system’s install.log for apps matching its hardcoded list, killing all matching process names.1 |
| enterprise | T1105 | Ingress Tool Transfer | macOS.OSAMiner has used curl to download a Stripped Payloads from a public facing adversary-controlled webpage. |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.008 | Stripped Payloads | macOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection.1 |
| enterprise | T1027.009 | Embedded Payloads | macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.1 |
| enterprise | T1057 | Process Discovery | macOS.OSAMiner has used ps ax | grep <name> | grep -v grep | ... and ps ax | grep -E... to conduct process discovery.1 |
| enterprise | T1082 | System Information Discovery | macOS.OSAMiner can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility df.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.001 | Launchctl | macOS.OSAMiner has used launchctl to restart the Launch Agent.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | macOS.OSAMiner can parse the output of the native system_profiler tool to determine if the machine is running with 4 cores.1 |