Unpacking the Binary Facade: How to Extract Malicious Scripts from macOS Apps

TLDR: Malware authors frequently wrap malicious scripts inside legitimate-looking macOS application bundles to bypass static analysis and evade detection. By identifying the specific packaging tool—such as PyInstaller, Electron, or Platypus—researchers can skip time-consuming binary reverse engineering and directly extract the underlying script. This approach allows for rapid analysis of the actual malicious logic, which is often trivial to read once the binary wrapper is removed.

Security researchers often find themselves staring at a compiled macOS binary, wondering if it is a sophisticated piece of custom malware or just a wrapper for a script. The reality is that most modern macOS malware is not written in low-level C or Swift. Instead, it is a script—Python, JavaScript, or AppleScript—shoved inside a binary facade. This technique, often categorized under T1027 and T1059 in the MITRE ATT&CK framework, is designed to make the binary look like a standard application to both the user and the operating system.

When you encounter an unknown file, your goal is to classify it as quickly as possible. If it is a known good file, you move on. If it is a known malicious file, you move on. But if it is a brand-new, potentially malicious binary, you need to know what you are dealing with. Spending hours in a disassembler or debugger on a binary that is merely an execution host for a script is a waste of your time.

Identifying the Wrapper

The first step in your analysis is determining the file type. Most static and dynamic analysis tools are file-type specific. If you treat a script-wrapped binary as a standard compiled executable, you will struggle to make sense of the code. You need to identify the tool that created the binary.

Common tools like PyInstaller, Electron, Tauri, and Platypus are the primary culprits. Each of these tools has a unique signature. For example, if you are looking at an Electron application, you will find a dependency on the Electron framework. You can use o-tool or nm to inspect the binary and look for these dependencies.

If you are dealing with a PyInstaller-generated binary, you will see specific strings related to the PyInstaller runtime. A simple strings command on the binary will often reveal these indicators. Once you identify the wrapper, you know exactly which extraction tool to use.

Extracting the Payload

Once you have identified the wrapper, you can extract the embedded script. This is where the real analysis begins. For PyInstaller, you can use pyinstxtractor to unpack the binary. This tool will extract the embedded Python files. However, keep in mind that PyInstaller often compiles these scripts into Python bytecode. You will need a tool like uncompyle6 to decompile the bytecode back into readable Python source code.

For Electron applications, the malicious logic is typically hidden within an asar archive. You can use the asar command-line utility to extract the contents of the archive. Once extracted, you will find the original JavaScript files. JavaScript is generally trivial to analyze, even if it has been minified or obfuscated.

For AppleScript-based applications, the situation is slightly different. You might encounter a compiled AppleScript file. While osacompile is the standard tool for creating these, you can use aevt-decompile to reverse the process. This tool provides a decent reconstruction of the original AppleScript code, which is often enough to understand the malicious intent.

Real-World Impact

In a real-world engagement, you will likely encounter these wrappers in the form of trojanized applications. An attacker might take a popular, legitimate application, inject a malicious script, and then repackage it using one of these tools. The resulting application will function as expected, but it will also execute the malicious payload in the background.

If you are performing a penetration test or a bug bounty assessment, you should always check the application bundle for these wrappers. If you find one, do not waste your time reversing the binary. Instead, focus on extracting the script. Once you have the script, you can analyze it for vulnerabilities, command-and-control (C2) infrastructure, or other malicious behaviors.

Defensive Considerations

Defenders should focus on monitoring the execution of these binaries. Since these applications often use scripts to perform their malicious tasks, you can monitor for suspicious script execution patterns. For example, look for applications that spawn unexpected child processes or attempt to establish network connections to unknown domains. Implementing robust endpoint detection and response (EDR) solutions that can inspect script execution in memory is also critical.

Do not let the binary facade fool you. The next time you see a suspicious macOS application, take a step back and ask yourself if it is really a compiled binary or just a script in disguise. By identifying the wrapper and extracting the payload, you can save yourself hours of work and get straight to the heart of the malicious logic. If you are interested in learning more about this, check out the Art of Mac Malware book series, which covers these techniques in significant detail.