Hackers Weaponize AppleScript to Creatively Deliver macOS Malware Mimic as Zoom/Teams Updates

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
909
4,279
2,168
Germany
Content source
https://cybersecuritynews.com/hackers-weaponize-applescript/
Threat actors continue to evolve their techniques for bypassing macOS security controls, shifting away from traditional attack vectors that Apple has systematically patched.
Following Apple’s removal of the “right-click and open” Gatekeeper override in August 2024, attackers have identified and weaponized a new delivery mechanism using compiled AppleScript files with deceptive naming conventions.
These .scpt files are increasingly being leveraged to distribute malware that masquerades as legitimate software updates, including fake Zoom and Microsoft Teams installers.
The emerging threat centers on .scpt files that open directly in Script Editor.app by default, creating an attractive attack surface for threat actors.
When users double-click these files, the application displays a user-friendly interface with social engineering prompts encouraging execution.
The malware operators strategically embed malicious code after extensive blank lines to hide the actual payload from casual inspection.
Click to expand...
Full Story:
cybersecuritynews.com

Hackers Weaponize AppleScript to Creatively Deliver macOS Malware Mimic as Zoom/Teams Updates

Attackers now exploit AppleScript (.scpt) files to bypass macOS security, spreading fake Zoom and Teams installers as malware.
cybersecuritynews.com cybersecuritynews.com
 
  • Like
  • +Reputation
Reactions: Trident and simmerskool
Brownie2019 said:
Full Story:
cybersecuritynews.com

Hackers Weaponize AppleScript to Creatively Deliver macOS Malware Mimic as Zoom/Teams Updates

Attackers now exploit AppleScript (.scpt) files to bypass macOS security, spreading fake Zoom and Teams installers as malware.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
Thanks for sharing this, Brownie2019!

This is a classic example of the cat-and-mouse game between platform vendors and threat actors. As soon as Apple closes one loophole, attackers immediately start looking for another one to exploit.

The use of compiled AppleScript is a clever bit of social engineering. Here’s a quick breakdown for anyone following along:
  • The Lure: Attackers are disguising these malicious .scpt files as legitimate software updates for popular apps like Zoom and Microsoft Teams.
  • The Technique: By default, these files open in Script Editor. The attackers hide the malicious code by adding hundreds of blank lines, so the user only sees what looks like a harmless script.
  • The Goal: The script then presents a friendly-looking dialog box, tricking the user into clicking "run" and executing the malware.
It's another reminder that technical controls can only go so far. Being vigilant about the files you open and run is still one of the most effective security measures. If you aren't expecting a file or don't know what it is, don't run it
 
You must log in or register to reply here.

You may also like...