Name | Description |
---|---|
OSX.DubRobber |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | Account Discovery |
XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.[1] |
|
Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys |
XCSSET will create an ssh key if necessary with the |
Enterprise | T1560 | Archive Collected Data |
XCSSET will compress entire |
|
Enterprise | T1547 | .011 | Boot or Logon Autostart Execution: Plist Modification |
XCSSET uses the |
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
XCSSET uses a shell script to execute Mach-o files and |
Enterprise | T1554 | Compromise Client Software Binary |
XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.[1] |
|
Enterprise | T1543 | .004 | Create or Modify System Process: Launch Daemon |
XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.[1] |
Enterprise | T1486 | Data Encrypted for Impact |
XCSSET performs AES-CBC encryption on files under |
|
Enterprise | T1005 | Data from Local System |
XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.[1] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
XCSSET uses RC4 encryption over TCP to communicate with its C2 server.[1] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
XCSSET exfiltrates data stolen from a system over its C2 channel.[1] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.[1] |
|
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
XCSSET uses the |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
XCSSET uses a hidden folder named |
Enterprise | T1574 | .006 | Hijack Execution Flow: Dynamic Linker Hijacking |
XCSSET adds malicious file paths to the |
Enterprise | T1105 | Ingress Tool Transfer |
XCSSET downloads browser specific AppleScript modules using a constructed URL with the |
|
Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process |
Enterprise | T1036 | Masquerading |
XCSSET builds a malicious application bundle to resemble Safari through using the Safari icon and |
|
Enterprise | T1113 | Screen Capture |
XCSSET saves a screen capture of the victim's system with a numbered filename and |
|
Enterprise | T1518 | Software Discovery |
XCSSET uses |
|
.001 | Security Software Discovery |
XCSSET searches firewall configuration files located in |
||
Enterprise | T1539 | Steal Web Session Cookie |
XCSSET uses |
|
Enterprise | T1195 | .001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods |
Enterprise | T1082 | System Information Discovery |
XCSSET identifies the macOS version and uses |
|
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
XCSSET uses AppleScript to check the host's language and location with the command |
Enterprise | T1569 | .001 | System Services: Launchctl |
XCSSET loads a system level launchdaemon using the |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, |