Creating signed and customized backdoored macOS applications by abusing Apple Developer tools

This post will show you the steps necessary to embed an Empire payload within a trusted PKG installer, using Apple’s own Developer Tools to help accomplish the task and bypass GateKeeper!

Often during a red team engagement, you might find yourself needing to create a viable working installer to accompany a spear phish, that not only emulates real software but installs a valid, working application to avoid suspicion.

Understanding Development Certificates

The macOS Developer ID installer works for signing Pkg files to help bypass Gatekeeper in itself. Theoretically to get by Gatekeeper all you need is a working Pkg file that is signed properly. Working via the command line is cumbersome and finding the right certificate can be troublesome and time intensive. The blue highlighted text above illustrates the correct macOS “Developer ID Installer” certificate to use when signing your backdoored application.

Third party developer certificate information is not made clearly visible.

Empire

The excerpt below explains the PKG installer structure and how to create a payload with Empire below:

Pkg files are OSX installation packages that can be used to deploy new applications or updates. An excellent overview of the package directory structure can be seen here. Of the three package file structures, a flat package with install files is best format to serve our malicious purpose. The contents of a PKG installer consists of the Payload, Scripts, Bom (Bill-Of-Materials), and PkgInfo file. The payload file is a cpio compressed file consisting of the files/application you wish to copy to the file system. The scripts file is also a cpio compressed file comprised of either a pre-install or post-install bash script. Pre-install scripts are executed at the start of the installation process. While post-install scripts are executed at the end of the installation process. The Bom file details the contents of the package. To weaponize this, we would ideally want to use an Empire application bundle as the payload and have the post-install script execute the application. However, we can mix it up by storing the Empire launcher in the post-install script and use the application as a decoy. There is a great guide available here for creating a package installers for OSX on Linux. This entire process is now automated in Empire! Let’s briefly review the stager options:

Abusing PackageMaker to backdoor applications

PackageMaker has functionality that allows a “trusted” Apple developer to combine two PKG installers into one file, or combine an .app and a Pkg installer file into a unified, signed Mac OS Pkg. We can add our Payload, refine the look and feel of the installer itself, and do most of the heavy lifting with a nice GUI.

The example below is for demonstration purposes only. We’re going to unpack a legitimate 1Password Pkg installer we downloaded, and backdoor the installer as shown below with an Empire Payload.

# pkgutil --expand 1Password-7.0.4.pkg 1Password-expanded/
# pushd 1Password-expanded/
# ls
Bom PackageInfo Payload Scripts
# tar xvf Payload |cpio -id
# -- snip --
x ./1Password 7.app/Contents/Frameworks/OnePasswordUI.framework/Versions/A/Resources/Info.plist
x ./1Password 7.app/Contents/Frameworks/OnePasswordUI.framework/Versions/A/Modules
x ./1Password 7.app/Contents/Frameworks/OnePasswordUI.framework/Versions/A/Modules/OnePasswordUI.swiftmodule
x ./1Password 7.app/Contents/Frameworks/OnePasswordUI.framework/Versions/A/Modules/OnePasswordUI.swiftmodule/x86_64.swiftdoc
x ./1Password 7.app/Contents/Frameworks/OnePasswordUI.framework/Versions/A/Modules/OnePasswordUI.swiftmodule/x86_64.swiftmodule
x ./1Password 7.app/Contents/Frameworks/OnePasswordUI.framework/Versions/A/Modules/module.modulemap
x ./1Password 7.app/Contents/Frameworks/OnePasswordUI.framework/Versions/Current
x ./1Password 7.app/Contents/Frameworks/OnePasswordUI.framework/Modules
x ./1Password 7.app/Contents/Frameworks/libswiftsimd.dylib
x ./1Password 7.app/Contents/Info.plist
x ./1Password 7.app/Contents/PkgInfo
-- snip --
# ls
1Password 7.app Bom PackageInfo Payload Scripts
PackageMaker allows you to easily select the Developer ID Installer certificate

We can now take our 1Password .app file and our .pkg Empire payload and merge them with PackageMaker, creating our backdoored 1Password installer that bypasses GateKeeper and executes our Payload and installs 1Password.

For demonstration purposes I did not hide the Payload
You have the option to hide the Package Name in PackageMaker
Apple Inc.

By using a valid developer certificate, creating a package with Empire and signing the Payload with PackageMaker we can bypass Gatekeeper, and pop a shell without arising suspicion with relative ease. The Next steps are persistence and post-exploitation. Happy hacking!

Remediation

Don’t allow execution of third party developer programs on your Mac in corporate environments, and always follow best security practices when executed anything downloaded from the Internet. Programs like TaskExplorer can help ensure that all software installed is legitimate.

https://objective-see.com/products/taskexplorer.html
Make sure you’re very careful when you execute an app from “identified developers”

Future Work:

As shown above it’s possible to abuse the third party developer certificate mechanism itself, making the faux application appear as Apple themselves not a legitimate developer. Combing these two attack vectors would make a Pkg file indistinguishable from a legitimate Apple Pkg installer.

References:

https://objective-see.com/products.html

Like what you read? Give Adam Toscher a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.