"Run-only" AppleScript is compiled to a bytecode format that is very poorly documented. In 2017, I released a CTF reverse-engineering challenge called Scriptabble, in which contestants had to understand a compiled AppleScript file which very slowly computed a flag, then fix or reimplement the algorithm to compute it faster.<p>Teams generally solved it by reverse engineering the AppleScript runtime to understand the VM bytecode; one writeup is here: <a href="https://twitter.com/_niklasb/status/856594863294472193" rel="nofollow">https://twitter.com/_niklasb/status/856594863294472193</a><p>So, I guess I can't be too surprised that run-only AppleScript ended up as a good malware vector - it's so poorly documented, and there are so few tools to understand it, that it could easily fly under the radar.
> Since "run-only" AppleScript come in a compiled state where the source code isn't human-readable, this made analysis harder for security researchers.<p>Surely no more difficult than your average malware binary blob?
A run-only AppleScript shouldn’t be fundamentally any harder to detect than any other form of compiled binary. Does this just mean that security researchers and antivirus tools simply haven’t paid attention to run-only AppleScripts as a vector worth investigating?
> since at least 2015 disguised in pirated (cracked) games and software such as League of Legends<p>LoL is free, though. Why would anyone use a pirated/cracked version? What would that even mean?
This is a huge security hole. The modified script can be used as a backdoor for all your data and 100% control your computer, because AppleScript can do anything. Probably a legal NSA backdoor that hackers have taken over and a lot of people are in danger. It is not necessary to install pirated software, the download can happen through a hole in the browser. I an old school security researcher, once saw how hacker control a Mac and could turn on/off Wi-Fi, modify files, paint over windows, etc. AppleScript can install new backdoors on the target system with manual control, which allows the hacker to hide his activities by playing along with the victim. Be careful, stay safe.