This is about … .
Malicious Emails
- π¦ Attachements
- π Links
Fake Support
One example, cybercriminals could typosquat the domain. Victims will be notified about being infected if they visit the website. A number is provided to get in touch with “tech support”.
Fake updates
Fake Apps
Unlike trojanized applications (described later) that still provide the original application’s functionality so that nothing appears amiss, fake applications generally execute a malicious payload and then exit.
Trojans
https://objective-see.org/blog/blog_0x49.html
Pirated or Cracked Apps
iWorm
Custom URL Schemes
WindTail infected Mac users by abusing various features of macOS, including Safariβs automatic opening of files deemed safe and the operating systemβs registration of custom URL schemes. The victim would download a ZIP archive containing the malware. If the target was using Safari, the browser would extract the archive automatically thanks to its Open βsafeβ files option, which is enabled by default. macOS will automatically process any application as soon as it is saved to disk, which happens when it is extracted from an archive. This processing includes registering the application as a URL handler if the application supports any custom URL schemes.
Look for CFBundleURLSchemes in the app’s Info.plist.
A daemon lsd will parse this info and register them in the launch services database com.apple.LaunchServices-231-v2.csstore. Chech the DB with lsregister.
π BTFM
fs_usage -w -f filesystem
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump
Macros
Usually written in Visual Basic for Applications (VBA), macro code generally invokes Microsoft APIs such as AutoOpen and Document_Open to ensure its malicious code will automatically execute once the document is opened and the user has enabled macros. Use π§° oletools to extract and examine macros: olevba -c filename
Supply Chain Attacks
Account Compromises of Remote Services
RDP SSH