Cryptocurrency Miner Targeted MacOS Users for Over 5 Years

For a long time, MacOS-based computers were exploited by cybercriminals for covert cryptocurrency mining. According to cybersecurity experts from SentinelOne, the OSAMiner malware managed to avoid detection for five years.

How OSAMiner Spread

The malicious software, known as OSAMiner, appeared online no later than 2015. It was distributed disguised within pirated (cracked) games and other software products, including League of Legends and Microsoft Office for Mac.

Geographic Focus and Early Discoveries

Available data indicates that OSAMiner primarily targeted China and the Asia-Pacific region. Its activity did not go completely unnoticed: in August and September 2018, two Chinese firms discovered and analyzed older versions of OSAMiner. However, their reports did not provide a complete picture of OSAMiner’s capabilities, according to Phil Stokes, a macOS malware researcher at SentinelOne.

Why OSAMiner Was Hard to Detect

SentinelOne’s research revealed the reason for these difficulties. OSAMiner loads its code in parts, using composite AppleScript files with run-only status. The run-only option allows an AppleScript control script to be launched as an application without entering edit mode, thereby hiding its source code.

Improving MacOS Security

Stokes and the SentinelOne team hope that by publishing the full attack chain and indicators of compromise (IOC) for both old and new versions of OSAMiner, they will help macOS security vendors detect such attacks and protect MacOS users.