S0658 XCSSET
XCSSET is a macOS modular backdoor that targets Xcode application developers. XCSSET was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.1
| Item | Value |
|---|---|
| ID | S0658 |
| Associated Names | OSX.DubRobber |
| Type | MALWARE |
| Version | 1.2 |
| Created | 05 October 2021 |
| Last Modified | 18 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| OSX.DubRobber | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | XCSSET attempts to discover accounts from various locations such as a user’s Evernote, AppleID, Telegram, Skype, and WeChat data.1 |
| enterprise | T1098 | Account Manipulation | - |
| enterprise | T1098.004 | SSH Authorized Keys | XCSSET will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. XCSSET will upload a private key file to the server to remotely access the host without a password.1 |
| enterprise | T1560 | Archive Collected Data | XCSSET will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | XCSSET uses a shell script to execute Mach-o files and osacompile commands such as, osacompile -x -o xcode.app main.applescript.1 |
| enterprise | T1554 | Compromise Client Software Binary | XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.004 | Launch Daemon | XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.1 |
| enterprise | T1486 | Data Encrypted for Impact | XCSSET performs AES-CBC encryption on files under ~/Documents, ~/Downloads, and |
~/Desktop with a fixed key and renames files to give them a .enc extension. Only files with sizes |
|||
| less than 500MB are encrypted.1 | |||
| enterprise | T1005 | Data from Local System | XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | XCSSET uses RC4 encryption over TCP to communicate with its C2 server.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | XCSSET exfiltrates data stolen from a system over its C2 channel.1 |
| enterprise | T1068 | Exploitation for Privilege Escalation | XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.1 |
| enterprise | T1083 | File and Directory Discovery | XCSSET has used mdfind to enumerate a list of apps known to grant screen sharing permissions.3 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | XCSSET uses the chmod +x command to grant executable permissions to the malicious file.4 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | XCSSET uses a hidden folder named .xcassets and .git to embed itself in Xcode.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.006 | Dynamic Linker Hijacking | XCSSET adds malicious file paths to the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables to execute malicious code.1 |
| enterprise | T1105 | Ingress Tool Transfer | XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://” & domain & “/agent/scripts/” & moduleName & “.applescript.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.002 | GUI Input Capture | XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.1 |
| enterprise | T1036 | Masquerading | XCSSET builds a malicious application bundle to resemble Safari through using the Safari icon and Info.plist. 1 |
| enterprise | T1647 | Plist File Modification | XCSSET uses the plutil command to modify the LSUIElement, DFBundleDisplayName, and CFBundleIdentifier keys in the /Contents/Info.plist file to change how XCSSET is visible on the system.1 |
| enterprise | T1113 | Screen Capture | XCSSET saves a screen capture of the victim’s system with a numbered filename and .jpg extension. Screen captures are taken at specified intervals based on the system. 1 |
| enterprise | T1518 | Software Discovery | XCSSET uses ps aux with the grep command to enumerate common browsers and system processes potentially impacting XCSSET‘s exfiltration capabilities.1 |
| enterprise | T1518.001 | Security Software Discovery | XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.1 |
| enterprise | T1539 | Steal Web Session Cookie | XCSSET uses scp to access the ~/Library/Cookies/Cookies.binarycookies file.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.001 | Gatekeeper Bypass | XCSSET has dropped a malicious applet into an app’s .../Contents/MacOS/ folder of a previously launched app to bypass Gatekeeper’s security checks on first launch apps (prior to macOS 13).3 |
| enterprise | T1195 | Supply Chain Compromise | - |
| enterprise | T1195.001 | Compromise Software Dependencies and Development Tools | XCSSET adds malicious code to a host’s Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder.1 |
| enterprise | T1082 | System Information Discovery | XCSSET identifies the macOS version and uses ioreg to determine serial number.1 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | XCSSET uses AppleScript to check the host’s language and location with the command user locale of (get system info).1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.001 | Launchctl | XCSSET loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | Using the machine’s local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.1 |
References
-
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021. ↩
-
Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022. ↩↩
-
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. ↩