The attacker could then take further steps to exfiltrate the victim’s LastPass Vault contents without their knowledge. #MALWARE USED RUNONLY APPLESCRIPTS TO AVOID PASSWORD#Instead, our script generating the dialog would receive the password in plaintext as well as the name of the button the victim clicked. To be clear, none of the output generated by entering text in the password field or by clicking the Cancel or OK buttons would get sent to the LastPass application. All we needed to do was to tell the LastPass application to show a dialog with the application’s icon and text and buttons of our choosing. What did we just do? In fact, we did nothing different from the previous examples where we were searching Apple Mail for email or Google Chrome for a website. However it wouldn’t be a big stretch of the imagination to apply these “easy button UI” capabilities to something a lot less wholesome: This is convenient for someone developing scripted workflows, as it allows them to focus on functionality and application logic instead of creating UI elements from scratch. For example, if we wanted to write an AppleScript tool that searches our bookmarks for a URL, (ignoring for a second that Chrome has its own search capabilities), we could start with a dialog prompting the user for a website title or URL to search for, as shown in Figure 2:Īs is clear from looking at these simple examples, an unsuspecting victim might assume that these dialogs are part of a trusted application because of the icon and generally having a “normal” macOS look and feel, while in actuality, they were generated by an unrelated script. In order to execute the above snippet, copy and paste it into Script Editor, which ships with macOS and can be found at /Applications/Utilities/Script Editor.app.īeyond Apple’s core services, there are many third-party applications that also support scripting via AppleScript. Tell application "Mail" to activate tell application "Mail" to display dialog "Please enter the email address to search for." default answer "" with icon 1 with title "Mail" The AppleScript snippet that tells Mail to show the dialog looks like this: Getting user input and displaying results is easy by using the display dialog verb which is available for any application that is AppleScript-compatible.įor example, one might create a script for Apple’s Mail application that gathers email messages from a certain sender by showing a prompt that allows the user to type in the name or email address to search for.Ī dialog as shown in Figure 1 can be created with a single line of AppleScript: #MALWARE USED RUNONLY APPLESCRIPTS TO AVOID MAC#One of the reasons AppleScript has remained popular with Mac users is because it is very easy to create a GUI-driven scripted workflow or self-contained application. To make creating AppleScript applications or system services even easier, Apple has also shipped the drag-and-drop driven Automator with macOS since version 10.4. As such, it is deeply embedded in the OS and has far-reaching capabilities due to it being part of many system tools, especially those with a user-facing UI.ĪppleScript has been popular among home users and professionals alike for its ability to close the gap between what the OS is capable of out of the box and third-party applications, as well as for batch-processing. AppleScript is Apple’s native scripting language that has shipped with Apple’s Macintosh operating system since System 7 in 1991, and every consecutive version through today. What is AppleScript?īefore we continue, let’s look at what makes all of this possible. Afterwards, the attacker can use the captured credentials to elevate privileges and take actions of their choosing such as deploying malware or taking control of the victim’s Apple ID account. #MALWARE USED RUNONLY APPLESCRIPTS TO AVOID SOFTWARE#The recently discovered OSX.Bella malware, which gets much of its payload from an Open Source Software (OSS) post-exploitation toolkit by the same name, reminds us again how easy it is for an attacker to create legitimate-looking phishing dialogs using built-in macOS scripting functionality.īy writing a few lines of AppleScript, an attacker can use system tools like System Preferences, App Store or iTunes to present a legitimate-looking dialog prompting the victim to re-enter their Apple ID or local user account credentials in order to fix a problem an application on their system is having.īecause there was no actual issue, the application will (still) be working as expected, giving the victim the impression that the prompt was legitimate and they helped to rectify the issue. Duo Labs May 4th, 2017 Pepijn Bruienne The macOS Phishing Easy Button: AppleScript Dangers The Issue
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |