Persistence plists are currently chosen from the following list: Īnd target a file at one of: ~/Library/Caches/GitServices/CloudServiceWorkerĪs previously, XCSSET continues to attempt to evade detection by masquerading as either system software or the almost ubiquitous Google and Chrome browser software. This has been modified slightly to “GitServices”. In the previous version of XCSSET, the malware created and dropped files for its own caches and control functions in a folder at ~/Library/Caches/GeoServices/. The –max-time option is now set to a random value between 5 and 9, while phaseName is chosen from the following list: "Copy Bundle Frameworks", Xcode infection script from 2021 (Left) and 2022 (Right) The updated run-only AppleScripts that XCSSET drops as second-stage payloads use a collection of newly-registered domains:Ĭhanges in the replicator.applescript file, which infects users’ Xcode projects with the XCSSET malware, show that both curl’s –max-time value and the script’s phaseName variable have now been randomized, presumably to hamper static detection or hunting rules. When executed, this particular sample writes the fake Notes.app to: ~/Library/Application Scripts/ These fake apps are invariably dropped in a parent folder created in random locations in the user’s Library folder. SHA1: 127b66afa20a1c42e653ee4f4b64cf1ee3ed637dĭynamic execution of this recent SHC-compiled XCSSET dropper, currently with 0 detections on VirusTotal despite having been known for 2 months, also reveals that the malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022. SHC-compiled shell scripts are opaque to traditional static scanning tools and contain only a few human-readable strings.Īs all SHC-compiled binaries, legitimate or malicious, contain these same strings, signature scanners cannot distinguish between them. ![]() Since XCSSSET first appeared, the authors have made consistent use of two primary tools to obfuscate both droppers and dropped files: SHC and run-only compiled AppleScripts, respectively. ![]() In this post, we review changes made to the latest versions of XCSSET and reveal some of the context in which these threat actors operate. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit. Threat actors behind the XCSSET malware have been relatively quiet since last year.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |