This is about … .
- 📦 Attachements
- 🔗 Links
One example, cybercriminals could typosquat the domain. Victims will be notified about being infected if they visit the website. A number is provided to get in touch with “tech support”.
Unlike trojanized applications (described later) that still provide the original application’s functionality so that nothing appears amiss, fake applications generally execute a malicious payload and then exit.
Pirated or Cracked Apps
Custom URL Schemes
WindTail infected Mac users by abusing various features of macOS, including Safari’s automatic opening of files deemed safe and the operating system’s registration of custom URL schemes. The victim would download a ZIP archive containing the malware. If the target was using Safari, the browser would extract the archive automatically thanks to its Open “safe” files option, which is enabled by default. macOS will automatically process any application as soon as it is saved to disk, which happens when it is extracted from an archive. This processing includes registering the application as a URL handler if the application supports any custom URL schemes.
CFBundleURLSchemes in the app’s
lsd will parse this info and register them in the launch services database
com.apple.LaunchServices-231-v2.csstore. Chech the DB with
fs_usage -w -f filesystem /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump
Usually written in Visual Basic for Applications (VBA), macro code generally invokes Microsoft APIs such as AutoOpen and Document_Open to ensure its malicious code will automatically execute once the document is opened and the user has enabled macros. Use 🧰 oletools to extract and examine macros:
olevba -c filename
Supply Chain Attacks
Account Compromises of Remote Services