XCSSET
Associated Software Descriptions |
|
Name | Description |
---|---|
OSX.DubRobber | (Citation: malwarebyteslabs xcsset dubrobber) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .006 | Abuse Elevation Control Mechanism: TCC Manipulation |
For several modules, XCSSET attempts to access or list the contents of user folders such as Desktop, Downloads, and Documents. If the folder does not exist or access is denied, it enters a loop where it resets the TCC database and retries access.(Citation: Microsoft March 2025 XCSSET) |
Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys |
XCSSET will create an ssh key if necessary with the |
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
XCSSET uses a shell script to execute Mach-o files and |
Enterprise | T1543 | .004 | Create or Modify System Process: Launch Daemon |
XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.(Citation: trendmicro xcsset xcode project 2020) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
XCSSET uses RC4 encryption over TCP to communicate with its C2 server.(Citation: trendmicro xcsset xcode project 2020) |
Enterprise | T1546 | .004 | Event Triggered Execution: Unix Shell Configuration Modification |
Using AppleScript, XCSSET adds it's executable to the user's `~/.zshrc_aliases` file (`"echo " & payload & " > ~/zshrc_aliases"`), it then adds a line to the .zshrc file to source the `.zshrc_aliases` file (`[ -f $HOME/.zshrc_aliases ] && . $HOME/.zshrc_aliases`). Each time the user starts a new `zsh` terminal session, the `.zshrc` file executes the `.zshrc_aliases` file.(Citation: Microsoft March 2025 XCSSET) |
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
XCSSET uses the |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
XCSSET uses a hidden folder named |
Enterprise | T1574 | .006 | Hijack Execution Flow: Dynamic Linker Hijacking |
XCSSET adds malicious file paths to the |
Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Older XCSSET variants use `xxd` to encode modules. Later versions pass an `xxd` or `base64` encoded blob through multiple decoding stages to reconstruct the module name, AppleScript, or shell command. For example, the initial network request uses three layers of hex decoding before executing a curl command in a shell.(Citation: Microsoft March 2025 XCSSET) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
XCSSET searches firewall configuration files located in |
Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
XCSSET has dropped a malicious applet into an app's `.../Contents/MacOS/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13).(Citation: Application Bundle Manipulation Brandon Dalton) |
Enterprise | T1195 | .001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods |
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
XCSSET uses AppleScript to check the host's language and location with the command |
Enterprise | T1569 | .001 | System Services: Launchctl |
XCSSET loads a system level launchdaemon using the |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, |
References
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Microsoft Threat Intelligence. (2025, March 11). New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects. Retrieved April 2, 2025.
- Steven Du, Dechao Zhao, Luis Magisa, Ariel Neimond Lazaro. (2021, April 16). XCSSET Quickly Adapts to macOS 11 and M1-based Macs. Retrieved February 18, 2025.
- Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021.
- Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.