Security News > 2021 > January > Mac malware uses 'run-only' AppleScripts to evade analysis
A cryptocurrency mining campaign targeting macOS is using malware that has evolved into a complex variant giving researchers a lot of trouble analyzing it.
A recently observed variant makes analyzing even more difficult as it embeds a run-only AppleScript into another scripts and uses URLs in public web pages to download the actual Monero miner.
The malware has been researched in the past [1, 2] but the run-only AppleScript file hindered full analysis, limiting it to observing the behavior of the sample.
PNG. Its purpose is to download the open-source XMR-Stak Monero miner that works on Linux, Windows, and macOS. "The setup script includes pool address, password and other configuration information but no wallet address," the researchers say in a report today, adding that it also uses the "Caffeinate" tool to prevent the machine from entering sleep mode.
According to SentinelOne, the second script is intended to prevent analysis and evade detection.
As SentinelOne proved, the technique is not infallible and researchers have the means to analyze it and prepare defenses against other malware that may choose to use it.