Monday, January 8, 2018

Automator Script 1 - Sakula

This is an excerpt of an Automator script file found in the Caches folder following restoration in late September.  While this Automator Script may be innocuous, even necessary, some entries troubled me.  This is an excerpt from com.apple.automator.actionCache:

/System/Library/Automator/Export vCards.action]Export vCardsU1.0.2]Export_vCards“ I J K MUTypesYContainer° L_ com.apple.cocoa.pathTList£ O P QSvcfUvcardVexportXContacts–_ /Applications/Contacts.app° R” W I J X Y MXOptional ° Z_ #com.apple.addressbook.person-object‘ \ ] ^ _ ` a b cYAMDResult_ AMDRelatedActionsZAMDSummaryZAMDWebsite_ *Contacts items converted into vCard format_ 0com.apple.Automator.GetSpecifiedAddressBookItems_ ºThis action takes people from Contacts and exports them in vCard format. The action can create a vCard file containing all of the people or create an individual vCard file for each person._ http://www.apple.com° e_ AMCategoryContacts£ O P Q†“ i j k l[destination[vCardOutputY~/Desktop ° Rfl . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B o p q r s r t w x { Ç É Ö à ã å ç é è ê_ Copyright 2009-2012, Apple Inc._ 2/System/Library/Automator/Add Color Profile.action_ Add Color ProfileU7.7.3_ AddColorProfile“ I J u M° v_ com.apple.cocoa.path£ x y zYQuickTimeUMovieVChange’ | } ~  Ä Å Å Å l ÅWMessageVAction[ApplyButtonULevel\IgnoreButtonP_ "/Applications/QuickTime Player.app° Ñ_ QuickTime Player” W I J X á M ° v— â äZAMDSummary_ fThis action adds a color profile to QuickTime movie files. If a color profile present, it is replaced.° å_ AMCategoryMovies£ x y z†–° Ñfl . / 0 1 2 3 4 5 6 7 8 9 : ; = > ? A B í ì * î ï ñ ï ó ö õ ú ù û † § • ¶ ß ®_ #Copyright 2004 Apple Computer, Inc._ H/System/Library/Automator/Convert Playlist object to Song object.caction_ &Convert Playlist object to Song

_ AMDRelatedActionsZAMDSummary° _ com.apple.Automator.URLList_ pThis action displays webpages in Safari when given the URL addresses and returns the resulting Safari documents._ /URL addresses passed in from a previous action.° _ AMCategoryInternet• ˚ ¸ ˝ ˛ ˇ–° fl . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? A B Ø ! " # $ ' , - . / :o 6Copyright © 2004-2012 Apple Inc. All rights reserved._ //System/Library/Automator/New Disk Image.action^New Disk ImageU2.0.1_ AMNewDiskImageAction“ I J M° _ com.apple.cocoa.path£ SNewTDiskYDiskImageVFinder–_ '/System/Library/CoreServices/Finder.app° ” W I J ∏ & M ° “ ( ) * +ZAMDSummaryZAMDOptions_ 1This action creates a new disk image (.dmg) file.o gThe new volume name defaults to   Disk Image , and the new disk image name defaults to   Disk Image.dmg. ° -_ AMCategoryFilesAndFolders£ œ÷ 0 1 2 3 4 5 6 Å 7 Å X 9XwhenDoneXfileNameZfolderPathZvolumeName\encryptImageYimageSize Y~/Desktop (° fl . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B < = > r ? r @ C x F Ç I J M V X Y Z [ ^_ Copyright 2004-2012 Apple Inc._ ./System/Library/Automator/Start Capture.action]Start Capture_ AMAppleScriptAction“ I J A M° B_ com.apple.applescript.object§ x y D EWCaptureUStart’ | } G  H Å Å Å l Å[ApplyButton\IgnoreButton° Ñ” W I J ∏ L M ° B“ N O P U_ AMDRelatedActionsZAMDSummary§ Q R S T_ com.apple.NewAudioCapture_ com.apple.PauseCapture_ com.apple.NewVideoCapture_ com.apple.StopCapture_ 5This action starts an audio or video capture to disk.° W_ AMCategoryMovies° W§ x y D E†— \ X_ waitForCompletion ° Ñfl . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B ` a b » c » d g ” i j k l o z { | } Å Ço 6Copyright © 2004-2012 Apple Inc. All rights reserved._ 7/System/Library/Automator/Add Movie to iDVD Menu.action_ Add Movie to iDVD Menu_ AMAddMovieToiDVDMenuAction“ I J e M° f_ com.apple.cocoa.path§ Œ y — hSAdd–_ I/System/Library/Frameworks/Automator.framework/Resources/ActionLarge.tiff° ”” W I J ∏ n M ° f’ \ p q r fi s t w x y_ AMDRelatedActionsZAMDSummary[AMDRequires[Movie files¢ u v_ com.apple.Automator.AskForMovies_ com.apple.GetSpecifiedMovies_ tThis action adds the selected movie files to a menu in an iDVD project. The movies are added to the end of the menu._ ;iDVD must be running and there must be an active iDVD menu.[Movie files° {_ AMCategoryMovies§ Œ y — h° ~‘ Ë È  Î Ä Ì ” Ó\Display NameQ4–° ”fl . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B Ñ Ö| Ü F á F à ã é " è ê ì ò ô ö õ ú üo 6Copyright © 2004-2012 Apple Inc. All rights reserved._ 4/System/Library/Automator/Get Folder Contents.action_ Get Folder Contents_ GetFolderContents“ I J â M° ä_ com.apple.cocoa.path¢ å çTFileVFolder–° ” W I J X í M ° ä“ î ï ñ ó_ AMDRelatedActionsZAMDSummary_ "com.apple.Automator.SpecifiedFiles_ =This action gets the items from inside the specified folders.° ô_ AMCategoryFilesAndFolders¢ å 熗 ù XWrecurse ° fl . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B ° ¢h £ § • § ¶ ´ ¨ ± ¥ µ ∂ π √ ƒ ≈ ∆ « …o 6Copyright © 2008-2012 Apple Inc. All rights reserved._ 6/System/Library/Automator/Find Calendar Items 2.action_ Find Calendar ItemsU3.0.1_ Find_iCal_Items_2“ I J ß M£ ® © ™_ com.apple.event-kit.event_ com.apple.event-kit.reminder_ com.apple.event-kit.calendar¶ ¨ ≠ Æ Ø ¨ ∞XCalendarUEventUTo DoXReminderTFind’ | } ≤  ≥ Å Å Å l Å[ApplyButton\IgnoreButton_ /Applications/Calendar.app° ¨” W I J ∏ ∏ M £ ® © ™Ÿ \ ∫ ª º Ω fi æ ø ¿ Å Å ¡ Å Å ¬ Å Å Å_ AMDRelatedActionsZAMDSummaryZAMDWebsite[AMDRequiresWAMDNoteXAMDAlertZAMDOptions_ BThis action lets you search for items with the specified criteria._ >Input is passed through and added to the found Calendar items.° ƒ_ AMCategoryCalendar¶ ¨ ≠ Æ Ø ¨ ∞†— » ®XitemType° XCalendarfl . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B Ã Õ Œ œ – — “ ’ ◊ ÿ fl ‡ ‚ Â Ë È Í Î Ï ˜o 8Copyright © 2004 2016 by Apple Inc. All rights reserved._ 4/System/Library/Automator/Add to Font Library.action_ Add to Font LibraryS5.0_ AMAppleScriptActionS240“ I J ” M° ‘_ com.apple.applescript.object¢ ÷ åTFontXFontBook’ | } Ÿ  ⁄ € ‹ › l fi[ApplyButton\IgnoreButton_ 2(* Warning message presented to user goes here. *)_ Ñ(* Action name to be suggested to add prior to this action to make the task safer, e.g. com.apple.Automator.CopyFiles, goes here. *)_ =(* Button label for user to add proposed Action, e.g. Add. *)_ G(* Button label for user not to add proposed Action, e.g. Don't Add. *)_ /Applications/Font Book.app° ·YFont Book” W I J X ‰ M ° ‘— Ê ÁZAMDSummary_ \This action adds the objects passed from the previous action to a font library in Font Book.° È_ AMCategoryFonts¢ ÷ å†÷ Ì Ó Ô  Ò Ú X l X Å ı X_ askForAlbumName_ importDestination[askForAlbum[chosenAlbum\newAlbumName]validateFonts ^Imported Fonts ° ·fl . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? A B ˘ ˙R ˚ ¸ ˝ ¨

I have no way of determining the legitimacy of such a script, nor its origination.  It appears to be more of the Sakula malware used by Federal agencies to target individuals.  The dates of the programs being called and accessed concern me, as do the actions themselves, which appear to secretly record the user then transfer those recordings to various formats, and possibly mail them to recipients.  

Entry points include system processes such as Spotlight and Finder, but also Fonts and Dictionary.  The script suggests that fonts are being installed, without the user's knowledge or permission, by triggering the Ignore button to bypass built-in warnings.  In this fashion, Sakula and its variants avoid detection by malware, antivirus, and other security measures.

These scripts are actively complemented by programmers whose coding is accessed through GET HTTP commands, and other methodologies.  These programmers will have military backgrounds, and ties to Federal agencies.  While some will be from the private sector and be connected to major corporations (usually IT), all receive "Dark Money" funding from Federal, US agencies such as the DOD, DHS, and (yes) CIA.  In many cases, "rogue" (non-State) hackers are actively pursued by these Federal agencies... for recruitment.  

This is done by charging them with crimes they my or may not have committed, then offering them a "deal."  At no point do Federal authorities attempt to stop this malicious behavior -- thereby intentionally victimizing innocents for their own ends.

© Copyright 2017, The Cyberculturalist

No comments: