![]() ![]() In our recent post, How Malware Persists on macOS, we discussed the ways that threat actors can ensure that, once they’ve breached a macOS device, their malicious code will survive a logout or device restart. The Ploutus ATM malware family, first detected in 2013 by Symantec as Backdoor. But persistence is only one element of the cyber kill chain, and some threat actors are known to shun persistence in favor of either one-time infections or a reusable vulnerability to remain stealthy. 10 years of virtual dynamite: A high-level retrospective of ATM malware. Then there’s the possibility of malware achieving its objectives and cleaning up after itself, effectively aiming to leave without a trace. The macOS.OSAMiner has been active since 2015, primarily infecting users in Asia. Clearly, just looking for persistence items isn’t sufficient for threat hunting, so in this post we’ll take a deeper dive into how you can hunt for threats on a macOS device. macOS malware used run-only AppleScripts to avoid detection for five years. ![]() How you go about hunting down malware on a macOS endpoint depends a great deal on what access you have to the device and what kind of software is currently running on it. Security researchers at SentinelOne were able to reverse engineer some samples they collected by using a lesser-known AppleScript disassembler (Jinmo’s applescript-disassembler) and a decompiler tool developed internally. Of course, if you have a SentinelOne-protected Mac, for example, you can do a lot of your hunting right there in the management console or by using the remote shell capability, but for the purposes of this post, we’re going to take an unprotected device and see how we can detect any hidden malware on it. Mac malicious software uses Run-only Applescripts to bypass the detection-programmersolve. The malware has also evolved recently and has primarily targeted users in China and Asia-Pacific. payloads and avoid detection thanks to an old technology: the named resource fork. For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware. The Best Malware Removal and Protection Software for 2023 Weve tested over 100 anti-malware apps to help you find the the best malware protection and removal software for all your devices. The principles remain the same if you have a protected device, and understanding what and where to look will help you use any threat hunting software you may already have more effectively. FADE DEAD Adventures in Reversing Malicious Run-Only AppleScripts. The other thing to consider is whether you have access to the device directly, or only via a command line, or only via logs. For the purposes of this exercise, we’re going to assume that you have access to the command line and to any logs that can be pulled from it. It is also a great time to develop new ways to avoid detection, such as changing your password, installing new software, and not using public wifi. Read the original article: macOS malware used run-only AppleScripts to avoid detection for five years The macOS.OSAMiner has been active since 2015, primarily infecting users in Asia. The thing is, you don’t need to quit social media to use if positively. The first thing you need to know is what user accounts exist on the Mac. Become a supporter of IT Security News and help us remove the ads. ![]()
0 Comments
Leave a Reply. |