To begin, most of the malware types affecting Mac users strongly resemble threats targeting Windows users—the difference is mainly in the scope and implementation. Thus, the macOS Terminal actually uses Unix shells (currently Bash by default), so malware can create shell scripts and utilize various commands that we discussed in the previous Chapter 10, Dissecting Linux and IoT Malware. Here are some of the other commands that can be misused on Mac computers:
- pfctl: This allows the attackers to communicate with the Packet Filter (PF), a built-in macOS firewall derived from the BSD world. This component can be used to provide functionality similar to iptables on Linux.
- launchctl: A command-line tool to interact with services.
- pbcopy/pbpaste: This allows the attackers to copy and paste the content of the clipboard.
- chflags: This tool can be used to change a file's or folder's flag, for example, to hide or unhide it.
- mdfind: An alternative to the classic find tool...