While OSAMiner has been around since 2015, and known since at least 2018, a newly discovered version of OSAMiner has remained hidden from researchers by cleverly concealing one run-only AppleScript inside of another run-only AppleScript. Run-only scripts do not contain human-readablez code and are notoriously difficult to fully decompile. Some IoCs have been able to be identified in these campaigns but a full analysis was not previously available, leaving some of the critical files in these campaigns lurking in the dark. This has changed with a couple of recently developed tools to aid in decompiling AppleScripts.
Using these tools, we can now get a better view at the internals of the files in this cryptojacking campaign, as well as a broader view of the files associated with the malware.