Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент XCSSET
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
XCSSET
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

XCSSET

XCSSET is a macOS modular backdoor that targets Xcode application developers. XCSSET was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020)
ID: S0658
Associated Software: OSX.DubRobber
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 05 Oct 2021
Last Modified: 18 Oct 2022

Associated Software Descriptions
Name Description
OSX.DubRobber (Citation: malwarebyteslabs xcsset dubrobber)

Techniques Used
Domain ID Name Use
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

XCSSET will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. XCSSET will upload a private key file to the server to remotely access the host without a password.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

XCSSET uses a shell script to execute Mach-o files and osacompile commands such as, osacompile -x -o xcode.app main.applescript.(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

XCSSET uses RC4 encryption over TCP to communicate with its C2 server.(Citation: trendmicro xcsset xcode project 2020)

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

XCSSET uses the chmod +x command to grant executable permissions to the malicious file.(Citation: 20 macOS Common Tools and Techniques)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

XCSSET uses a hidden folder named .xcassets and .git to embed itself in Xcode.(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

XCSSET adds malicious file paths to the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables to execute malicious code.(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1056 .002 Input Capture: GUI Input Capture

XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

XCSSET has dropped a malicious applet into an app's `.../Contents/MacOS/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13).(Citation: Application Bundle Manipulation Brandon Dalton)
Enterprise T1195 .001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools

XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder.(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1614 .001 System Location Discovery: System Language Discovery

XCSSET uses AppleScript to check the host's language and location with the command user locale of (get system info).(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1569 .001 System Services: Launchctl

XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.(Citation: trendmicro xcsset xcode project 2020)
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.(Citation: trendmicro xcsset xcode project 2020)

References

  1. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  2. Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021.
  3. Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.
  4. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.