Hacking macOS: How to Create a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager)

Hacking macOS: How to Create a Fake PDF Trojan with AppleScript, Part 1 (Creating the Stager)

While hackers have taken advantage of numerous vulnerabilities in Adobe's products to deliver payloads to Windows users via PDF files, a malicious PDF file can also wreak havoc on a Mac that's using the default Preview app. So think twice before double-clicking a PDF open on your MacBook — it might just be a Trojan with a rootkit inside.


In this small, two-part series, I'll detail how a hacker could create a file that appears to be an ordinary PDF file but is actually a Trojanized AppleScript that will silently execute malicious code on a target MacBook or other Mac computer. In the GIF below, you can see a real PDF being opened as well as its fake PDF version with the malicious code.






Allow me to explain the architecture overview of this attack in greater detail.


The attacker's system will be configured to use Empire and host a malicious Python script. An AppleScript file will be created and made to appear as a legitimate PDF. The AppleScript, when opened by the victim, will first silently download and open a real PDF to convince them that the fake PDF is indeed real, then it will download the malicious Python script from the attacker's server and execute it. After it runs, a connection will be established between the target Mac and the attacker's server allowing the attacker to remotely control the computer.




[embedded content]


Step 1: Get Comfortable with Empire


To begin, I'll be using Empire (previously called PowerShell Empire), a post-exploitation framework notorious fo ..

Support the originator by clicking the read the rest link below.