Orthrus
Orthrus is a macOS agent that uses Apple's MDM to backdoor a device using a malicious profile. It effectively runs its own MDM server and allows the operator to interface with it using Mythic.
Talks & Publications
-
Orthrus was presented in the Black Hat USA 2021 talk Come to the Dark Side, We Have Apples: Turning macOS Management Evil.
-
Further information about detecting Orthrus can be found at TheMacPack.io - Detecting Orthrus and Typhon
Installation
To install Orthrus, you'll need Mythic installed on a remote computer. You can find installation instructions for Mythic at the Mythic project page.
From the Mythic install root, run the command:
./mythic-cli install github https://github.com/MythicAgents/orthrus.git
Once installed, restart Mythic.
Orthrus uses Apple's Push Notification Service to send messages to the target device. For this reason, we need to configure APN push certificates. Some of the options for this can be found at Understanding MDM Certificates.
In my opinion, installing Server.app, setting up Profile Manager and then exporting the push cert from the keychain is the easiest way to do this. Full instructions for getting the APN certs in a more permanent way can be found here.
Instead of running the mdmctl mdmcert upload command manually, put the certificates in the C2_Profiles/mdm/certs/ folder, as apn.pem and apn.key.
Next, generate a SSL certificate for your MDM server.
DNSNAME=mdm.example.org; (cat /etc/ssl/openssl.cnf ; printf "\n[SAN]\nsubjectAltName=DNS:$DNSNAME\n") | openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout mdm.key -out mdm.crt -subj "/CN=$DNSNAME" -reqexts SAN -extensions SAN -config /dev/stdin
Once created, base64 both the key and the certificate and put them in the config file using the Mythic UI for the MDM C2 Profile (Global Configurations -> C2 Profiles -> MDM -> Configure). Also set the mdm_host config item whilst you're here.
Restart the container.
./mythic-cli c2 start mdm
and you're good to go.
Notable Features
- No custom code introduced to the device.
- No beaconing behaviour, Orthrus will check in to Mythic when the operator tells it to using the
force_callbackcommand. - SSL certificate of the MDM server trusted for code signing upon installation.
- Install PKG installers or Profiles.
Executing Packages
Signing
mdmclient will only execute packages that have been signed. If you do not use a signed package, it will silently fail. Usefully, the compromised device will install the TLS certificate of the MDM server (specified in the config) as a CA trusted for code sigining.
First, on an attacker box. Build a PFX file using the certificate and key from the MDM server.
openssl pkcs12 -export -out mdm.pfx -inkey mdm.key -in mdm.crt
Open the resulting pfx file to install it into the keychain.
The certificate can now be used as a signing identity.
pkg-cmd-helper
To automate the process of creating a signed package. I've put together a rough bash script to build packages that execute bash command, and subsequently sign them with an identity - pkg-cmd-helper.sh.
➜ ./pkg-cmd-helper.sh -h
Command line helper to generate pkg files that execute commands.
Author: @rookuu
Syntax: gen.sh -i com.malicious.pkg -o installme.pkg [-s 'My Signing Identity'] command
options:
-h Print this Help.
-i Identifier for the package.
-o File name for the output package.
-s (optional) Identity to use when signing the package.
➜ ./pkg-cmd-helper.sh -i com.rookuu.pkg -o example.pkg -s 192.168.0.5 mkdir /tmp/hacked
Building in /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i
pkgbuild: Adding top-level preinstall script
pkgbuild: Wrote package to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp.pkg
productbuild: Wrote product to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp_dist.pkg
productsign: signing product with identity "192.168.0.5" from keychain /Library/Keychains/System.keychain
productsign: Wrote signed product archive to /var/folders/fc/lc78954d3mnfvn4wbz8_20nc0000gn/T/tmp.mmsY0R6i/temp_dist_signed.pkg
Done, see: example.pkg
Commands Manual Quick Reference
The commands available to us are dependent on the Apple MDM protocol, a full list of commands can be found on Apple's developer docs here.
General Commands
| Command | Syntax | Description |
|---|---|---|
| force_callback | force_callback |
Sends a push notification to the device, forcing it to checkin. |
| certificate_list | certificate_list |
Lists installed certificates. |
| device_information | device_information |
Returns general information about the device. |
| installed_applications | installed_applications |
Lists installed applications. |
| profile_list | profile_list |
Lists installed profiles. |
| provisioning_profile_list | provisioning_profile_list |
Lists installed provisioning profiles. |
| security_info | security_info |
Returns information about the security settings and features for the device. |
| install_profile | install_profile |
Installs a mobile config file (upload using UI). |
| install_pkg | install_pkg |
Installs a PKG installer file (upload using UI). Must be signed, see above. |
Thanks
- @its_a_feature_ for helping to troubleshoot all of the bugs in my code. :)
2 Feb 14, 2022
21 Dec 27, 2022
8 Feb 24, 2022
57 Dec 16, 2022
52 Dec 22, 2022
4 Aug 31, 2021
30 Jan 17, 2022
15 Nov 09, 2022
23 Nov 17, 2022
39 Nov 21, 2022
194 Jan 01, 2023
70 Nov 09, 2022
146 Jan 03, 2023
75 Nov 25, 2022
0 Dec 20, 2021
4 Sep 03, 2022
104 Dec 08, 2022
1 Dec 03, 2021
910 Jan 01, 2023
76 Nov 30, 2022