{"description": "Enterprise techniques used by XCSSET, ATT&CK software S0658 (v1.3)", "name": "XCSSET (S0658)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.006", "comment": "For several modules, [XCSSET](https://attack.mitre.org/software/S0658) attempts to access or list the contents of user folders such as Desktop, Downloads, and Documents. If the folder does not exist or access is denied, it enters a loop where it resets the TCC database and retries access.(Citation: Microsoft March 2025 XCSSET)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.004", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. [XCSSET](https://attack.mitre.org/software/S0658) will upload a private key file to the server to remotely access the host without a password.(Citation: trendmicro xcsset xcode project 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses a shell script to execute Mach-o files and osacompile commands such as, osacompile -x -o xcode.app main.applescript.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.004", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) performs AES-CBC encryption on files under ~/Documents, ~/Downloads, and\n~/Desktop with a fixed key and renames files to give them a .enc extension. Only files with sizes \nless than 500MB are encrypted.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses RC4 encryption over TCP to communicate with its C2 server.(Citation: trendmicro xcsset xcode project 2020)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "comment": "[XCSSET](https://attack.mitre.org/software/S0658)'s `dfhsebxzod` module searches for `.xcodeproj` directories within the user\u2019s home folder and subdirectories. For each match, it locates the corresponding `project.pbxproj` file and embeds an encoded payload into a build rule, target configuration, or project setting. The payload is later executed during the build process.(Citation: Microsoft March 2025 XCSSET)(Citation: April 2021 TrendMicro XCSSET)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.004", "comment": "Using [AppleScript](https://attack.mitre.org/techniques/T1059/002), [XCSSET](https://attack.mitre.org/software/S0658) adds it's executable to the user's `~/.zshrc_aliases` file (`\"echo \" & payload & \" > ~/zshrc_aliases\"`), it then adds a line to the .zshrc file to source the `.zshrc_aliases` file (`[ -f $HOME/.zshrc_aliases ] && . $HOME/.zshrc_aliases`). Each time the user starts a new `zsh` terminal session, the `.zshrc` file executes the `.zshrc_aliases` file.(Citation: Microsoft March 2025 XCSSET) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) retrieves files that match the pattern defined in the INAME_QUERY variable within the user's home directory, such as `*test.txt`, and are below a specific size limit. It then archives the files and exfiltrates the data over its C2 channel.(Citation: trendmicro xcsset xcode project 2020)(Citation: Microsoft March 2025 XCSSET)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions and leverages a module to run the command `ls -la ~/Desktop`.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: Microsoft March 2025 XCSSET)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses the chmod +x command to grant executable permissions to the malicious file.(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses a hidden folder named .xcassets and .git to embed itself in Xcode.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.006", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) adds malicious file paths to the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables to execute malicious code.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) downloads browser specific AppleScript modules using a constructed URL with the curl command, https://\" & domain & \"/agent/scripts/\" & moduleName & \".applescript.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) installs malicious application bundles that mimic native macOS apps, such as Safari, by using the legitimate app\u2019s icon and customizing the `Info.plist` to match expected metadata.(Citation: trendmicro xcsset xcode project 2020)(Citation: Microsoft March 2025 XCSSET)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "Older [XCSSET](https://attack.mitre.org/software/S0658) variants use `xxd` to encode modules. Later versions pass an `xxd` or `base64` encoded blob through multiple decoding stages to reconstruct the module name, AppleScript, or shell command. For example, the initial network request uses three layers of hex decoding before executing a curl command in a shell.(Citation: Microsoft March 2025 XCSSET)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1647", "comment": "In older versions, [XCSSET](https://attack.mitre.org/software/S0658) uses the plutil command to modify the LSUIElement, DFBundleDisplayName, and CFBundleIdentifier keys in the /Contents/Info.plist file to change how [XCSSET](https://attack.mitre.org/software/S0658) is visible on the system. In later versions, [XCSSET](https://attack.mitre.org/software/S0658) leverages a third-party notarized `dockutil` tool to modify the `.plist` file responsible for presenting applications to the user in the Dock and LaunchPad to point to a malicious application.(Citation: trendmicro xcsset xcode project 2020)(Citation: Microsoft March 2025 XCSSET)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) saves a screen capture of the victim's system with a numbered filename and .jpg extension. Screen captures are taken at specified intervals based on the system. (Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses ps aux with the grep command to enumerate common browsers and system processes potentially impacting [XCSSET](https://attack.mitre.org/software/S0658)'s exfiltration capabilities.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses scp to access the ~/Library/Cookies/Cookies.binarycookies file.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.001", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) has dropped a malicious applet into an app's `.../Contents/MacOS/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13).(Citation: Application Bundle Manipulation Brandon Dalton)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1195", "showSubtechniques": true}, {"techniqueID": "T1195.001", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) adds malicious code to a host's Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. [XCSSET](https://attack.mitre.org/software/S0658) then downloads a script and Mach-O file into the Xcode project folder.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) identifies the macOS version and uses ioreg to determine serial number.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) uses AppleScript to check the host's language and location with the command user locale of (get system info).(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.001", "comment": "[XCSSET](https://attack.mitre.org/software/S0658) loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "Using the machine's local time, [XCSSET](https://attack.mitre.org/software/S0658) waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, [XCSSET](https://attack.mitre.org/software/S0658) executes additional modules.(Citation: trendmicro xcsset xcode project 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by XCSSET", "color": "#66b1ff"}]}