OSAMiner Mac Malware - How to remove

OSAMiner is a miner infection that causes the infected Mac to be slow and hot. It does this by using the computer’s resources to mine cryptocurrency.

OSAMiner has been around since 2015 and it spreads with pirated games and other apps. It infects Macs and stops anti-malware apps and Activity Monitor in order to avoid being stopped itself. It’s been difficult to catch up until now, but one cybersecurity company released an analysis that sheds some new light on OSAMiner.

About OSAMiner:

Classification	Trojan, miner.
How OSAMiner affects Macs	It makes the infected Mac slow and laggy, it hides malicious files in hidden folders, it stops you from quitting apps and from using some antivirus apps.
How it spreads	It is included in infected app bundles, it can be downloaded from pirating sites, often as games or Office software.
How to avoid OSAMiner and remove malware	Only allow trusted apps to be installed, use antivirus apps, such as Combo Cleaner for macOS, Malwarebytes, and others, protect your online accounts and keep copies of your files, be aware of the dangers of software pirating.

How OSAMiner works

Miners slow down computers

OSAMiner was originally reported as a Monero miner. Miners are programs that use your computer to run calculations to help mine new cryptocurrency. You can use a miner to try and get some new crypto yourself. Malicious actors spread miners to infect the computers of unsuspecting users in order to setal their computer power. A miner infection would cause your computer to be very slow, lag, to potentially overheat.

Some miners wait until your device is idle to start working in order to not interfere with your work and to stay under the radar. Even then, they can cause problems. Your Mac might be forced to be too hot which, in the long run, could even harm some hardware components.

In cases where your Mac starts chugging for seemingly no reason, you might try to turn on your Activity Monitor to see which process is using all of these resources. OSAMiner would detect and kill Activity Monitor as soon as you tried to launch it. It would prevent your Mac from sleeping. It would try to stop various popular antivirus apps.

According to SentinelOne, OSAMiner uses an open source Monero miner as the basis for its miner. Open source projects are sometimes misused by cybercriminals, but this does not reflect badly on the projects.

Malicious software spread with pirated apps

OSAMiner spread in pirated software: cracked, patched programs that shared to be downloaded for free. OSAMiner was being distributed with stolen software from 2015, mostly in Asia (Zdnet.com).

Software pirating is dangerous. Downloading files from unreliable sources, uploaded by unknown users, new files that don’t yet have any comments is always a little risky. Infected files aren’t always immediately obvious, since they often include the promised items, too. Malicious programs try to be quiet and escape your scrutiny.

Even if you use an antivirus app to protect yourself, there are some problems:

• You might expect software cracks to be detected by antivirus apps. So, if you get a warning from your security app, you might ignore it.
• New, unknown infections don’t always get flagged.

Here is an app bundle that spread the OSAMiner malware: Virustotal.com. It’s currently detected as a Trojan by multiple antivirus scanners. Pay attention to malware detection names. If it was just a software crack, the detection names would reflect that.

Once downloaded, OSAMiner would scan your installed apps, amount of free space, and other technical details. It would then download its components from the internet. You might notice your Terminal app appearing briefly on your screen.

OSAMiner is difficult to analyze

According to SentinelOne, OSAMiner evaded attention for years until now because they ran using a method that was difficult to analyze: AppleScripts. It did catch the attention of some malware analysis companies, but its true scale wasn’t uncovered until SentinelOne’s research now.

Read SentinelOne’s post – Labs.sentinelone.com – for more detailed information on OSAMiner.

OSAMiner’s malicious files were hiding in Library folders like LaunchAgents and Caches, as Plist, Txt, Png files (you can hide malicious code in images, too). These files are given names that include “apple”, “google”, “yahoo”, and others to trick people. Library folders hold various settings used by your apps and, unfortunately, are used by malicious apps to hide in (How Malware Persists on macOS).

How to protect yourself from Mac malware

Macs might be safer than Windows PCs, but this should not be used as an excuse to neglect your cyber security. Indeed, other miner malware, like Bird Miner, have already targeted Macs before.

You should set your Mac to only install trusted apps: Support.apple.com. Apple provides various security tools to help its users stay safe.

You can also use antivirus apps, such as Combo Cleaner, Malwarebytes, or others, to enhance the security of your device. You should also update your operating system as quickly as you can. The report on OSAMiner mentioned that the developers of this malware had to change some of their tactics after Apple released new updates.

But the most important thing is to stay safe online. Pirating websites often show dangerous ads. Unreliable websites might allow you to download infected files. If you insist on pirating software, stick to reputable websites and find a community where you can ask for help and advice.

And finally, always have backups of your files and use multi-factor authentication for your online accounts. This way, if malware infects your device, you can recover and avoid having your online accounts stolen.

As for removing OSAMiner, you can use an antivirus app or, at worst, reset macOS.

Automatic Malware removal tools