S1048 · threatengine.sh

Malware

macOS.OSAMiner

S1048 · macOS

macOS.OSAMiner is a Monero mining trojan that was first observed in 2018.

security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.

ATT&CK S1048 Malware family

Sigma rules0 YARA rules0 Live IOCs0

▤

Techniques Used

ATT&CK techniques this malware is documented performing. Each links to its detections - Sigma, vendor SIEM rules, and analytics - so you catch the behaviour even when the binary changes.
T1027.008Stripped Payloads · detections ↗
T1027.009Embedded Payloads · detections ↗
T1057Process Discovery · detections ↗
T1059.002AppleScript · detections ↗
T1082System Information Discovery · detections ↗
T1105Ingress Tool Transfer · detections ↗
T1497.001System Checks · detections ↗
T1543.001Launch Agent · detections ↗
T1569.001Launchctl · detections ↗
T1680Local Storage Discovery · detections ↗
T1685Disable or Modify Tools · detections ↗

⚊

Live Indicators

Indicators are defanged for safe handling. Newest first.

Aliases

macOS.OSAMiner

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Malpedia MalwareBazaar ThreatFox