Common Initial Attack Vectors

Created: 28.07.2022

This is about … .

Malicious Emails

  1. πŸ“¦ Attachements
  2. πŸ”— Links

Fake Support

One example, cybercriminals could typosquat the domain. Victims will be notified about being infected if they visit the website. A number is provided to get in touch with “tech support”.

Fake updates

Fake Apps

Unlike trojanized applications (described later) that still provide the original application’s functionality so that nothing appears amiss, fake applications generally execute a malicious payload and then exit.

Trojans

https://objective-see.org/blog/blog_0x49.html

Pirated or Cracked Apps

iWorm

Custom URL Schemes

WindTail infected Mac users by abusing various features of macOS, including Safari’s automatic opening of files deemed safe and the operating system’s registration of custom URL schemes. The victim would download a ZIP archive containing the malware. If the target was using Safari, the browser would extract the archive automatically thanks to its Open β€œsafe” files option, which is enabled by default. macOS will automatically process any application as soon as it is saved to disk, which happens when it is extracted from an archive. This processing includes registering the application as a URL handler if the application supports any custom URL schemes.

Look for CFBundleURLSchemes in the app’s Info.plist.

A daemon lsd will parse this info and register them in the launch services database com.apple.LaunchServices-231-v2.csstore. Chech the DB with lsregister.

πŸ“˜ BTFM

fs_usage -w -f filesystem
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump

Macros

Usually written in Visual Basic for Applications (VBA), macro code generally invokes Microsoft APIs such as AutoOpen and Document_Open to ensure its malicious code will automatically execute once the document is opened and the user has enabled macros. Use 🧰 oletools to extract and examine macros: olevba -c filename

Supply Chain Attacks

Account Compromises of Remote Services

RDP SSH

Exploits

Physical Access

References

Expand… Something here