Mac Attacks Along the Kill Chain: Part 1 — Delivery Using URL Schemes [VIDEO]

As a senior research developer with the Falcon OverWatch managed hunting team, I joined CrowdStrike co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, during their keynote at RSA 2019: “Hacking Exposed: Hacking Macs.” My role was to demonstrate some of the tactics, techniques and procedures (TTPs) being implemented by sophisticated adversaries in real-world attacks against MacOS machines and networks. The attacks demonstrated in these videos correspond with different stages in the cyberthreat kill chain*. This video is a demonstration of a “delivery” stage attack, which involves using a custom URL scheme to achieve code execution on the intended victim machine.

More MacOS in the Workplace

In part, because MacOS is considered a relatively secure operating system, there’s been a steady increase in the number of organizations that rely on Mac-based networks. This has made these environments a more attractive target for determined cybercrime adversaries. As George states in the keynote, “For many years, we’ve beaten up on Windows and Linux and we’re certainly not here to beat up on Macs. (MacOS) is a great system. What we want to do is show you some of the attacks, so you can better protect yourself.”

Delivery Attack

As Dmitri explains in his introduction, a common method of the delivery attack is via spear-phishing — getting people to open an email or an attachment.  Over the years, there have been many Microsoft Office macros used for these exploits. However, in recent months, a more interesting scheme has been observed that leverages something Apple has built into its application features called a “CustomUrlScheme.”

Leveraging the CustomURLScheme

As the video shows, this MacOS feature allows you to register your own URL scheme on MacOS, and have an app that will be called automatically whenever that scheme is triggered. It starts with a spear-phishing email that takes you to a website, which immediately downloads a zip file. Then a default action in Safari automatically unpacks this zip file containing the malicious application. Applications have a file within them called the Info.plist, which holds a lot of information about the app, including the specified CustomUrlScheme. This file is parsed by the Launch Services Daemon as soon as the app hits the hard drive, and the new application’s CustomUrlScheme is automatically registered.

At this point, without any user interaction, the victim has downloaded a zip file, Safari has unpacked it, and a malicious application has had its CustomUrlScheme registered. The application now attempts to open whenever the browser goes to the newly registered CustomUrlScheme. When this URL is visited, the victim receives a few prompts asking if he or she would like to open the malicious application. Because these types of prompts are also used for legitimate apps, the user often complies.

Walking Through an Attack

In the video, we show you how these attacks unfold and offer countermeasures that can help you avoid them. Here are some highlights of what you’ll gain from the demonstration:

  • Get an understanding from the attacker’s perspective of how this attack is set up: What does a CustomUrlScheme look like, and how are attackers able to call them from malicious websites?
  • Once the application is on the victim’s machine, it works like a dropper, reaching out to the internet to download a picture file with an embedded malicious script. Learn how this step is implemented by the attacker.
  • Learn how the final payload is stealthily implemented to phone home to the command and control (C2).

Attack Countermeasures

The video also offers countermeasures to this attack that can help your organization keep from being victimized. The following are some highlights from the demo on how you can protect against this type of attack:

  • A big part of your defense is to disable the automatic opening of files. I’ll show you what Safari options can prevent files from automatically unzipping and registering the plist.
  • You’ll learn why the built-in Mac gatekeeper is an important ally in preventing these attacks.
  • Are Office Macros still a problem? The video explains why you should be aware of this vulnerability to ensure protection.

Look for upcoming blogs and videos that will demonstrate additional attacks aimed at MacOS and which correspond to stages in the cyber kill chain.

Additional Resources

*Read  SANS descriptions of the cyber kill chain stages.

CrowdStrike Falcon Free Trial

Jaron Bradley

Jaron Bradley has a background in Host-Based Incident Response and has focused mainly on detected targeted attacks. Bradley is currently the youngest member of CrowdStrike’s Falcon Overwatch where he serves as one of the company’s top intrusion analysts, concentrates on OSX-based analysis, and plays a vital role in finding anomalous activity on customer networks.


Try CrowdStrike Free for 15 Days Get Started with A Free Trial