Reversing Malicious Run-Only AppleScripts
Phil Stokes (Hacker News, Patrick Wardle):
macOS.OSAMiner has evolved to use a complex architecture, embedding one run-only AppleScript within another and retrieving further stages embedded in the source code of public-facing web pages.
Combining a public AppleScript disassembler repo with our own AEVT decompiler tool allowed us to statically reverse run-only AppleScripts for the first time and reveal previously unknown details about the campaign and the malware’s architecture.
We have released our AEVT decompiler tool as open source to aid other researchers in the analysis of malicious run-only AppleScripts.