Complex shell scripts can be implanted into photo metadata and later used to exploit a MacBook. In addition to obfuscating the true nature of an attack, this technique can be used to evade network firewalls as well as vigilant sysadmins.
In this attack scenario, a malicious command will be embedded directly into the EXIF metadata of an image file. The attacker would host the malicious image on a public website like Flickr, making it accessible for anyone to download. A stager will then be created to download the image, extract the metadata, and execute the embedded command.
To be clear, double-clicking the image file will not cause the embedded command to execute. That's a different kind of macOS attack, something we've covered in another article. Instead, the command will be hidden in the metadata of the image and used as a payload delivery system.
The stager and payload are two different aspects of the attack. The stager is designed to download the image and execute the embedded payload, while the payload is the final bit of code (embedded in the picture) designed to perform one or more commands.
Why Embed Payloads into Images?
So, why have a stager at all if the attacker is already in a position to execute code on the target MacBook? Well, primarily, varying degrees of active evasion. Also, stagers can be quite small, only ~100 characters long, making them quicker to execute with a USB Rubber Ducky or MouseJack attack, for example.