![malware used runonly applescripts to avoid malware used runonly applescripts to avoid](https://cdn.ithinkdiff.com/wp-content/uploads/2021/01/OSAMiner-600x314.jpg)
- Malware used runonly applescripts to avoid how to#
- Malware used runonly applescripts to avoid drivers#
- Malware used runonly applescripts to avoid update#
- Malware used runonly applescripts to avoid software#
- Malware used runonly applescripts to avoid code#
A clear signal about this is that criminals stole the certificate’s private key of SolarWinds, they signed the malicious DLL and replaced it in the official repository.įigure 5: Malicious DLL digitally signed by SolarWinds Worldwide, LLC. In addition, the backdoor tries to disable security processes by changing its registry keys, evading specific endpoint security measures and also impersonating trusted network entities.
![malware used runonly applescripts to avoid malware used runonly applescripts to avoid](https://lankadevelopers.com/assets/uploads/files/1551072685905-1807f859-63c9-4a00-9c6e-a449493f2892-image.png)
Malware used runonly applescripts to avoid code#
If any hardcoded process is detected, the malware execution is terminated.įigure 4: Block of code responsible for detecting target process names during the SUNBURST execution.
Malware used runonly applescripts to avoid drivers#
To accomplish this task, the malicious code checks, in a loop, the existence of specific drivers and processes on the target machines during the backdoor execution. The backdoor waits 12-14 days before sending its first ping to the C2 server, a clear sign the main goal of criminals is putting the backdoor away from the eyes of the threat detection platforms and endpoint agents such as antivirus. In the first place, when installed on the target machine,
Malware used runonly applescripts to avoid how to#
This “step” is something always in the mind of criminals: how to evade detection.
![malware used runonly applescripts to avoid malware used runonly applescripts to avoid](https://www.vmray.com/wp-content/uploads/2021/05/macOS.OSAMINER-Second-Stage_curl.png)
Some examples of FQDNs queried by SUNBURST can be observed below and are also available on GitHub:įigure 3: FQDNs queried by SUNBURST during its execution. Figure 2 below presents part of the code with the malicious implementation of the DGA algorithm.įigure 2: Process used by SUNBURST backdoor to generate the C2 address ( source ). After establishing the communication it the C2 server, the backdoor tries to mimic the legitimate SolarWinds OIP (Orion Improvement Program) communication to masquerade its activity and, thus, bypassing and evading security appliance and monitoring systems. SUNBURST uses a custom domain generation algorithm (DGA) to determine the IP address of its C2 server.
Malware used runonly applescripts to avoid update#
The first connection with the C2 serverĪfter the update and the first communication with the C2 server, some basic information is sent, including the computer username, IP address and OS version in order to determine if the machine is able to be explored, and also to prevent a second infection. With this behavior in place, detecting and relating it with malicious purposes is harder from the security point of view.
Malware used runonly applescripts to avoid software#
The problem starts at this point, and criminals, knowing the typical modus operandi of antivirus software, are using this approach to disseminate malware in the wild.Ĭriminals were able to modify the software and add a malicious backdoor inside the SolarWinds Orion plugin DLL called “.dll” as observed in Figure 1 below.įigure 1: DLL call modified by criminals to introduce the malicious code (backdoor).Īs observed, the backdoor waits 12-14 days before sending its first ping to the C2 server, a technique utilized to evade detection on the network layer. As the package was digitally signed by SolarWinds, it is seen as trusted software and deployed in their internal networks, bypassing EDR systems and antivirus by default. The backdoored package was delivered to SolarWinds customers. This piece of malware was delivered in the form of a Windows DLL file (.dll), implanted on the SolarWinds update package. Since "run-only" AppleScript come in a compiled state where the source code isn't human-readable, this made analysis harder for security researchers.The SUNBURST supply chain attack uses the following workflow grouped into six main steps, also described by Cynet in its website.
![malware used runonly applescripts to avoid malware used runonly applescripts to avoid](https://miro.medium.com/max/2420/1*-m1A01N2VJo_WOgib-owcA.png)
As users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript. The primary reason was that security researchers weren't able to retrieve the malware's entire code at the time, which used nested run-only AppleScript files to retrieve its malicious code across different stages. But their reports only scratched the surface of what OSAMiner was capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday. SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively. But the cryptominer did not go entirely unnoticed. Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week. An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.