Skip to content

Hide Navigation Hide TOC

macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37)

macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware 1
macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 1
macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) Attack Pattern 1
macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware Stripped Payloads - T1027.008 (2f41939b-54c3-41d6-8f8b-35f1ec18ed97) Attack Pattern 1
macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 1
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware 1
AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb) Attack Pattern macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware 1
macOS.OSAMiner - S1048 (2a59a237-1530-4d55-91f9-2aebf961cc37) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Stripped Payloads - T1027.008 (2f41939b-54c3-41d6-8f8b-35f1ec18ed97) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2