XCSSET

XCSSET will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. XCSSET will upload a private key file to the server to remotely access the host without a password.(Citation: trendmicro xcsset xcode project 2020)

XCSSET uses a shell script to execute Mach-o files and osacompile commands such as, osacompile -x -o xcode.app main.applescript.(Citation: trendmicro xcsset xcode project 2020)

XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.(Citation: trendmicro xcsset xcode project 2020)

XCSSET uses RC4 encryption over TCP to communicate with its C2 server.(Citation: trendmicro xcsset xcode project 2020)

XCSSET uses the chmod +x command to grant executable permissions to the malicious file.(Citation: 20 macOS Common Tools and Techniques)

XCSSET uses a hidden folder named .xcassets and .git to embed itself in Xcode.(Citation: trendmicro xcsset xcode project 2020)

XCSSET adds malicious file paths to the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables to execute malicious code.(Citation: trendmicro xcsset xcode project 2020)

XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.(Citation: trendmicro xcsset xcode project 2020)

XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.(Citation: trendmicro xcsset xcode project 2020)

XCSSET has dropped a malicious applet into an app's `.../Contents/MacOS/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13).(Citation: Application Bundle Manipulation Brandon Dalton)

XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder.(Citation: trendmicro xcsset xcode project 2020)

XCSSET uses AppleScript to check the host's language and location with the command user locale of (get system info).(Citation: trendmicro xcsset xcode project 2020)

XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.(Citation: trendmicro xcsset xcode project 2020)

Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.(Citation: trendmicro xcsset xcode project 2020)