The macOS 10.14 security update tried to make parts of the operating system difficult for hackers to access. Let's take a closer look at how this new feature works and what we can do to spoof the origin of an application attempting to access protected data.
Apple introduced some security features in its Mojave 10.14 release. One feature identifies applications attempting to copy, modify, or use certain files and services. The feature will present the user with a security notification for applications attempting to access the location services, built-in camera, address book, microphone, and other sensitive data. Below is an example notification of this new feature in action.
In the above GIF, an attacker is attempting to use a trojanized AppleScript that appears as an ordinary text file to modify protected data. The target is being social engineered into opening the file called "passwords.txt" — which presumably contains content interesting enough to make them double-click the file.
The first part of that payload opens an actual text file containing arbitrary data designed to make them believe the file is legitimate. The second part happens transparently in the background without the target's knowledge. This kind of attack is explained in greater detail in my "How to Create a Fake PDF Trojan with AppleScript" article.
As we can see, Mojave identifies the nefarious activity happening in the background and immediately alerts the target user. This new security feature prevented part of the attack — well done, Mojave, well done.
This got me thin ..
Support the originator by clicking the read the rest link below.
