XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan. [1]

ID: S0161
Associated Software: OSX.Sofacy

Platforms: macOS

Version: 1.1

Associated Software Descriptions


Techniques Used

EnterpriseT1081Credentials in FilesXAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.[1]
EnterpriseT1106Execution through APIXAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.[1]
EnterpriseT1083File and Directory DiscoveryXAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.[1]
EnterpriseT1107File DeletionXAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.[1]
EnterpriseT1056Input CaptureXAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.[1]
EnterpriseT1120Peripheral Device DiscoveryXAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.[1]
EnterpriseT1057Process DiscoveryXAgentOSX contains the getProcessList function to run ps aux to get running processes.[1]
EnterpriseT1113Screen CaptureXAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.[1]
EnterpriseT1071Standard Application Layer ProtocolXAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.[1]
EnterpriseT1082System Information DiscoveryXAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.[1]
EnterpriseT1033System Owner/User DiscoveryXAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.[1]


Groups that use this software: