S0161 XAgentOSX
XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan. 1
| Item | Value |
|---|---|
| ID | S0161 |
| Associated Names | OSX.Sofacy |
| Type | MALWARE |
| Version | 1.3 |
| Created | 14 December 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| OSX.Sofacy | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.002 | File Transfer Protocols | XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.1 |
| enterprise | T1083 | File and Directory Discovery | XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.1 XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.1 |
| enterprise | T1106 | Native API | XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.1 |
| enterprise | T1057 | Process Discovery | XAgentOSX contains the getProcessList function to run ps aux to get running processes.1 |
| enterprise | T1113 | Screen Capture | XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.1 |
| enterprise | T1082 | System Information Discovery | XAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.1 |
| enterprise | T1033 | System Owner/User Discovery | XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 123 |
References
-
Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. ↩↩
-
Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. ↩