XCSSET, a macOS malware family, updated in 2022 to adapt to macOS Monterey and to prepare for a future without Python by removing Python-based components and shifting toward SHC-compiled droppers and run-only AppleScripts. The analysis outlines infection refinements (fake Notes.app, Xcode infection via a LaunchAgent), new domains for payloads, randomized parameters to hinder detection, and exfiltration and targeting practices, highlighting threat actors’ long-term strategy. #XCSSET #macOSMonterey #NotesApp #DockUtil #transferSh
Keypoints
- XCSSET shows ongoing evolution in 2022, adjusting to macOS Monterey and removing Python dependencies.
- Two primary obfuscation methods persist: SHC for shell scripts and run-only AppleScripts for second-stage payloads.
- The malware now uses fake Notes.app (previously Xcode.app and Mail.app) stored under a random Library path, leveraging a LaunchAgent for persistence.
- Second-stage payloads rely on updated, dynamically registered domains and randomized command parameters to defeat static detection rules.
- The infection chain includes infected GitHub repositories and a broader set of targets (Telegram, WeChat, 360, Opera, Brave, Edge, etc.).
- Exfiltration leverages transfer.sh to move larger stolen data off the victim machine; actors show hardware profiling and data-gathering behaviors (e.g., AppleBackLightDisplay checks).
MITRE Techniques
- [T1059.005] AppleScript – As part of the updated malware, XCSSET uses run-only AppleScripts (e.g., a.scpt, main.scpt) to deliver and run payloads, including infection via a dropped LaunchAgent. “Aside from a.scpt, XCSSET makes use of multiple run-only AppleScripts.”
- [T1027] Obfuscated/Compressed Files and Information – SHC-compiled shell scripts are opaque to static scanners, hindering detection: “SHC-compiled shell scripts are opaque to traditional static scanning tools and contain only a few human-readable strings.”
- [T1543.003] Launch Daemon/Launch Agent – The malware is dropped and executed via a LaunchAgent, with the Notes payload executed through the agent: “launched by the run-only compiled AppleScript ‘a.scpt’… via the dropped LaunchAgent.”
- [T1105] Ingress Tool Transfer – The dropper downloads or updates payloads with curl, where the value is randomized to avoid detection: “the –max-time option is now set to a random value between 5 and 9, while phaseName is chosen from the following list.”
- [T1567.002] Exfiltration to Web Service – The malware uses transfer.sh to exfiltrate large data files off the attacker’s server: “public service transfer.sh for exfiltrating data files.”
- [T1036] Masquerading – XCSSET continues to masquerade as legitimate software (system software, Google/Chrome) to evade detection: “XCSSET continues to attempt to evade detection by masquerading as either system software or the almost ubiquitous Google and Chrome browser software.”
Indicators of Compromise
- [Hash] 25f8d7ac99e00c9d69679f2d9aca5954d2609a03 – brave_remote.applescript, 0e1b2f01441e6e6fc8a48a7871e649d3647828cd – canary_remote.applescript, and 2 more hashes
- [Domain] Communications – adobefile.ru, appledocs.ru, Cosmodron.com, gismolow.com, gurumades.ru, kinksdoc.ru, melindas.ru, superdocs.ru, 45.82.153.92
- [File Name] Binaries/Executables – exec.2430808, Pods, agentd, braved, canaryd, edged, firefoxd, metald, open, operad, speedd, yandexd
- [Hash] 127b66afa20a1c42e653ee4f4b64cf1ee3ed637d – SHA1 for a binary, and additional binary hashes listed in the same section
- [File Path] Known drop locations – ~/Library/Application Scripts/com.apple.CalendarAgent, ~/Library/Caches/GitServices/CloudServiceWorker