Add macOS Chrome InfoStealer TTP (v1-v4)

[godlovepenn]

Summary:
Adds a comprehensive suite of macOS Chrome InfoStealer TTPs with progressive detection evasion techniques. This TTP family simulates common infostealer behaviors targeting Chrome credentials and system information on macOS systems.

🔐 Version Progression:

V1 - Baseline CLI Approach:

• Uses /usr/bin/security CLI utility to retrieve Chrome safe storage password
• Copies Chrome credential files (Cookies, Login Data, Web Data) to memory/disk
• Supports multiple Chrome profile detection and selection
• Includes system information gathering capabilities

V2 - Native API Evasion:

• Replaces CLI utility with native macOS Security framework API calls via ctypes
• Eliminates process creation telemetry (no child processes spawned)
• Evades command-line argument monitoring and behavioral analysis
• Same credential extraction capabilities with improved OPSEC

V3 - Social Engineering + Offline Decryption:

• Adds user password acquisition via osascript dialogs (fake system prompts)
• Captures keychain database for offline decryption with tools like chainbreaker
• Enables broader access to all keychain items, not just Chrome credentials
• Customizable dialog titles and text for different social engineering scenarios

V4 - Native Dialog + Validation:

• Uses native AppKit framework for password dialogs (indistinguishable from legitimate prompts)
• Validates captured password against keychain before acceptance
• Configurable maximum attempts and custom icons for enhanced legitimacy
• Avoids osascript entirely for improved detection evasion

🎯 MITRE ATT&CK Coverage:

• T1555.003: Credentials from Web Browsers
• T1555.001: Keychain
• T1056.002: GUI Input Capture (v3, v4)

Reviewed By: isaac-fletcher

Differential Revision: D92545192

[meta-codesync]

@godlovepenn has exported this pull request. If you are a Meta employee, you can view the originating Diff in D92545192.

[meta-codesync]

This pull request has been merged in a603754.