XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]
Name | Description |
---|---|
OSX.DubRobber |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .006 | Abuse Elevation Control Mechanism: TCC Manipulation |
For several modules, XCSSET attempts to access or list the contents of user folders such as Desktop, Downloads, and Documents. If the folder does not exist or access is denied, it enters a loop where it resets the TCC database and retries access.[3] |
Enterprise | T1087 | Account Discovery |
XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.[1] |
|
Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys |
XCSSET will create an ssh key if necessary with the |
Enterprise | T1560 | Archive Collected Data |
XCSSET will compress entire |
|
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
XCSSET uses a shell script to execute Mach-o files and |
Enterprise | T1554 | Compromise Host Software Binary |
XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.[1] |
|
Enterprise | T1543 | .004 | Create or Modify System Process: Launch Daemon |
XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.[1] |
Enterprise | T1486 | Data Encrypted for Impact |
XCSSET performs AES-CBC encryption on files under |
|
Enterprise | T1005 | Data from Local System |
XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.[1] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
XCSSET uses RC4 encryption over TCP to communicate with its C2 server.[1] |
Enterprise | T1546 | Event Triggered Execution |
XCSSET's |
|
.004 | Unix Shell Configuration Modification |
Using AppleScript, XCSSET adds it's executable to the user's |
||
Enterprise | T1041 | Exfiltration Over C2 Channel |
XCSSET retrieves files that match the pattern defined in the INAME_QUERY variable within the user's home directory, such as |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
XCSSET has used |
|
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
XCSSET uses the |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
XCSSET uses a hidden folder named |
Enterprise | T1574 | .006 | Hijack Execution Flow: Dynamic Linker Hijacking |
XCSSET adds malicious file paths to the |
Enterprise | T1105 | Ingress Tool Transfer |
XCSSET downloads browser specific AppleScript modules using a constructed URL with the |
|
Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process |
Enterprise | T1036 | Masquerading |
XCSSET installs malicious application bundles that mimic native macOS apps, such as Safari, by using the legitimate app’s icon and customizing the |
|
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Older XCSSET variants use |
Enterprise | T1647 | Plist File Modification |
In older versions, XCSSET uses the |
|
Enterprise | T1113 | Screen Capture |
XCSSET saves a screen capture of the victim's system with a numbered filename and |
|
Enterprise | T1518 | Software Discovery |
XCSSET uses |
|
.001 | Security Software Discovery |
XCSSET searches firewall configuration files located in |
||
Enterprise | T1539 | Steal Web Session Cookie |
XCSSET uses |
|
Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
XCSSET has dropped a malicious applet into an app's |
Enterprise | T1195 | .001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods |
Enterprise | T1082 | System Information Discovery |
XCSSET identifies the macOS version and uses |
|
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
XCSSET uses AppleScript to check the host's language and location with the command |
Enterprise | T1569 | .001 | System Services: Launchctl |
XCSSET loads a system level launchdaemon using the |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, |