XCSSET
Associated Software Descriptions
| Name | Description |
|---|---|
| OSX.DubRobber |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1647 | Plist文件修改 |
XCSSET uses the |
|
| Enterprise | T1554 | 主机软件二进制文件妥协 |
XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.[1] |
|
| Enterprise | T1036 | 伪装 |
XCSSET builds a malicious application bundle to resemble Safari through using the Safari icon and |
|
| Enterprise | T1195 | .001 | 供应链破坏: Compromise Software Dependencies and Development Tools |
XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods |
| Enterprise | T1543 | .004 | 创建或修改系统进程: Launch Daemon |
XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.[1] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
XCSSET uses RC4 encryption over TCP to communicate with its C2 server.[1] |
| Enterprise | T1574 | .006 | 劫持执行流: Dynamic Linker Hijacking |
XCSSET adds malicious file paths to the |
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
XCSSET uses a shell script to execute Mach-o files and |
| Enterprise | T1113 | 屏幕捕获 |
XCSSET saves a screen capture of the victim's system with a numbered filename and |
|
| Enterprise | T1560 | 归档收集数据 |
XCSSET will compress entire |
|
| Enterprise | T1486 | 数据加密以实现影响 |
XCSSET performs AES-CBC encryption on files under |
|
| Enterprise | T1083 | 文件和目录发现 |
XCSSET has used |
|
| Enterprise | T1222 | .002 | 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification |
XCSSET uses the |
| Enterprise | T1068 | 权限提升漏洞利用 |
XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.[1] |
|
| Enterprise | T1539 | 窃取Web会话Cookie |
XCSSET uses |
|
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
XCSSET uses AppleScript to check the host's language and location with the command |
| Enterprise | T1082 | 系统信息发现 |
XCSSET identifies the macOS version and uses |
|
| Enterprise | T1569 | .001 | 系统服务: Launchctl |
XCSSET loads a system level launchdaemon using the |
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, |
| Enterprise | T1087 | 账号发现 |
XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.[1] |
|
| Enterprise | T1098 | .004 | 账号操控: SSH Authorized Keys |
XCSSET will create an ssh key if necessary with the |
| Enterprise | T1518 | 软件发现 |
XCSSET uses |
|
| .001 | Security Software Discovery |
XCSSET searches firewall configuration files located in |
||
| Enterprise | T1105 | 输入工具传输 |
XCSSET downloads browser specific AppleScript modules using a constructed URL with the |
|
| Enterprise | T1056 | .002 | 输入捕获: GUI Input Capture |
XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process |
| Enterprise | T1041 | 通过C2信道渗出 |
XCSSET exfiltrates data stolen from a system over its C2 channel.[1] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
XCSSET uses a hidden folder named |
| Enterprise | T1553 | .001 | 颠覆信任控制: Gatekeeper Bypass |
XCSSET has dropped a malicious applet into an app's |
References
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021.