Control MacOS Remotely Without Being Detected

Ribhav Kapur - ribhav.kapur99@gmail.com

In this article, I want to talk about a Github project called EvilOSX(​https://github.com/Marten4n6/EvilOSX​), which can be used to gain remote access to MacOS systems. In this article I won’t go into the details of why the scripts work, but instead I’ll talk about what the scripts can do and hopefully this will give you a better understanding of how hackers might try to exploit your systems. (Note that everything mentioned here might be different for Windows users.)

I would like to preface this by saying that this is for educational purposes only. This is meant to make you aware of one possible way hackers may attack you so you can take measures to stay safe. I do not condone using this on anyone, and it is, without a doubt, illegal.

Step 1: Get the Required Files and Dependencies Installed
First you want to clone the git repository and change directories into that repository and install all the dependencies.

Step 2: Create the Payload
The next thing you want to do is find out your IP address. There are various ways you can do this. Below is a terminal command but you could just as easily google it.
ifconfig | grep ​"inet "​ | grep -v 127.0.0.1
This method will only work when you’re attacking a computer that is on the same wireless network as you. If you want to attack computers on different networks, it gets a little more complicated than this and you’ll need to use a few other techniques too like port forwarding. Anyway, that’s out of scope for this.
To run start building a payload for the unsuspecting users’ computer, run the following command:
python3 start.py --builder
And then:
● Enter your IP address
● Enter the server port (use 1337 as recommended)
● Choose where the file will be saved
● Type 1 for a python payload (0 for rubber ducky)
● Leave the next field empty
● Name of the payload that will show on the victim’s computer when asking for
permissions like keychain access.
Your payload is now ready for the unsuspecting victim!
git ​clone​ https://github.com/Marten4n6/EvilOSX.git cd​ EvilOSX
Pip3 install -r requirements.txt

Step 3: Start the EvilOSX Server
This will have to be done ​before​ delivering the payload to the victim’s computer because when the payload, which is essentially a bash script, is run (on the victim’s computer), it tries to connect to the server which is why the server should be set up and should be listening for connections in advance. To do this, enter the following command:
python3 start.py --cli --port 1337
You can type in ​help​ to see all the available commands.
Now all that’s left to do is to wait for users to connect to your server. There are various ways to deliver the payload to the computers you want to attack. For example: if it’s a computer from some organisation, putting the payload on a USB and putting a company sticker on it will probably mean that someone will put it into their computer and hence end up connecting to your server!

Step 4: Running the Payload on the Target MacOS Computer
In this step, you essentially want to run the python file, which is the payload you made in step 2, on the computer you are targeting. There are many ways to do this discreetly like hiding a bash script in the meta-data of a picture or just simply having a bash script that runs when the user clicks on it (which is by definition what a bash script does....).

Step 5: Start Attacking the Target MacOS Computer
Type help for available commands, bots to see a list of computers connected to your EvilOSX server and modules to see some of the attacks you could perform:

To connect to a bot, type ​connect ,​ where is the index of the computer you want to connect to in your list of bots. You can then type ​use ​ ​where is the name of any of the modules above to perform attacks. For modules listed above that require the admin password, like getting chrome passwords or iTunes information, the payload will provide a pop up like the one Apple does when asking for security permissions to go undetected!
Your payload should go by undetected by any virus scanners since it is just a python (.py) file. The only way it can be spotted is if someone is constantly monitoring their processes to see which ones are persistent for the longest time. Even then, it usually just passes off as a regular, non-malicious python file.