AppleScript Abuse: Unpacking a macOS Phishing Campaign

MITRE Techniques

• [T1566 ] Phishing – Initial delivery used a phishing email prompting download/opening of an AppleScript masquerading as a document ( ‘The infection chain starts with a phishing email that prompts the user to download an AppleScript file named “Confirmation_Token_Vesting.docx.scpt”’ )
• [T1059.002 ] Command and Scripting Interpreter: AppleScript – AppleScript files perform the initial fetch, execute hidden scripts, and present fake credential dialogs ( ‘Once the user opens the AppleScript file, they are presented with a prompt instructing them to run the script’ )
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The AppleScript builds and runs silent curl requests and executes shell commands such as dscl and killall ( ‘This part of the script builds a silent curl request to “sevrrhst[.]com”’ )
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – The attacker delivers JavaScript payloads (index.js, default.js, addon.js) that profile the system, act as loaders, and implement command loops ( ‘The JavaScript file, index.js, is a loader that profiles the system and sends the data to the C2’ )
• [T1222.002 ] File and Directory Permissions Modification – The TCC directory is renamed and manipulated to enable injection of forged access records ( ‘To bypass integrity checks, the TCC directory is renamed to com.appled.tcc using Finder’ )
• [T1036.005 ] Masquerading: Match Legitimate Name or Location – Malicious AppleScript filenames and installed directories mimic legitimate documents and macOS directories (e.g., Confirmation_Token_Vesting.docx.scpt and ~/Library/com.apple.commonjs) ( ‘The script creates a folder named com.apple.commonjs in ~/Library’ )
• [T1140 ] Deobfuscate/Decode Files or Information – Several payloads and responses are Base64-encoded and decoded during execution ( ‘A request is made to the C2, which retrieves and executes a Base64-encoded script’ )
• [T1547.001 ] Boot or Logon Autostart Execution: Launch Agent – Persistence is achieved by dropping a LaunchAgent .plist that launches node with default.js on load ( ‘A LaunchAgent .plist is also downloaded into the LaunchAgents directory to ensure the malware automatically starts’ )
• [T1553.006 ] Subvert Trust Controls: Code Signing Policy Modification – The campaign extracts code-signing requirements from trusted apps and forges csreq entries to insert into TCC ( ‘Using the codesign command codesign -d –requirements, it extracts the designated code-signing requirement from the target application’ )
• [T1082 ] System Information Discovery – The loader collects OS version, CPU, memory, disk layout, network interfaces, and running processes for profiling ( ‘The script identified the system platform… and then gathers OS version, CPU details, memory usage, disk layout, network interfaces, and running process’ )
• [T1057 ] Process Discovery – The JavaScript profiling enumerates running processes as part of system fingerprinting ( ‘The script identified the system platform… and then gathers … running process’ )
• [T1105 ] Ingress Tool Transfer – Additional tooling (Node binaries, archives, and binaries delivered as Base64) are retrieved from the C2 to the victim ( ‘These return a node archive, bundled Node.js binary, and a JavaScript payload’ )