XCSSET

Today we look at cron - a classic Unix mechanism that is very much alive on modern macOS Sonoma... User-level crontabs are stored in: /usr/lib/cron/tabs/<username>... The persistence installer (pers.c) installs a cron job for the current user... The cron entry installed looks like this: * * * * * /Users/Shared/hack

As with the Automation request, this only requires the user to click-through their consent rather than provide a password.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.

Copy this new “ls.app” trojan to inside the bundle of an app that’s already been given TCC permission to access the Desktop. % cp -R /tmp/ls.app /Applications/Some Privileged.app/ ... Execute the trojan app

Today we look at cron - a classic Unix mechanism that is very much alive on modern macOS Sonoma... User-level crontabs are stored in: /usr/lib/cron/tabs/<username>... The persistence installer (pers.c) installs a cron job for the current user... The cron entry installed looks like this: * * * * * /Users/Shared/hack

Today we look at cron - a classic Unix mechanism that is very much alive on modern macOS Sonoma... User-level crontabs are stored in: /usr/lib/cron/tabs/<username>... The persistence installer (pers.c) installs a cron job for the current user... The cron entry installed looks like this: * * * * * /Users/Shared/hack

APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges. ... APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host. ... multiple groups/tools exploit various CVEs to escalate privileges. | XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.

Automation, by design, allows Full Disk Access to be ‘backdoored’ while also lowering the authorization barrier.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

If the bypass fails, it’s a simple matter to just impersonate the Finder and ask the user for control... Fake Finder App used by XCSSET malware to access protected areas

When macOS Mojave first went on public release, SentinelOne was the first to note that TCC could be bypassed via SSH... The most recent TCC bypass came to light after it was discovered being exploited by XCSSET malware in August 2020.

Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.

Copy this new “ls.app” trojan to inside the bundle of an app that’s already been given TCC permission to access the Desktop. % cp -R /tmp/ls.app /Applications/Some Privileged.app/ ... Execute the trojan app

Bundlore prompts the user for their credentials. Calisto presents an input prompt asking for the user's login and password. Cuckoo Stealer has captured passwords by prompting victims with a "macOS needs to access System Settings" GUI window. Dok prompts the user for credentials. FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials. iKitten prompts the user for their credentials. Keydnap prompts the users for credentials. Proton prompts users for their credentials. RedCurl prompts the user for credentials through a Microsoft Outlook pop-up. SILENTTRINITY's credphisher.py module can prompt a current user for their credentials. XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.

"APT42 has used custom malware to steal login and cookie data from common browsers." / "...extracts the web session cookie and sends it to the C2 server." / "...stole Chrome browser cookies by copying the Chrome profile directories of targeted users."

“added an info-stealer module to exfiltrate data stored by Firefox… modified version of… HackBrowserData… Passwords, history, credit card information, and cookies…”

"XCSSET uses ps aux with the grep command to enumerate common browsers and system processes"; "SpicyOmelette can enumerate running software"

an attacker, red teamer or malware could instead enumerate over the contents of the /Applications folder and take educated guesses based on what’s found there, e.g., Xcode, Camtasia, and Zoom are all applications that, if installed, are likely to be privileged.

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Use mdfind to search for apps to infect # # Allows an attacker to determine if specific applications are installed and can be leveraged set appId to do shell script "mdfind kMDItemCFBundleIdentifier = '" & bundleId & "'"

Use mdfind to search for AWS Keys # # Allows an attacker to query the filesystem via the CommandLine/Terminal to search for AWS keys. mdfind 'kMDItemTextContext == AKIA || kMDItemDisplayName = *AKIA* -onlyin ~'

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

Bundlore prompts the user for their credentials. Calisto presents an input prompt asking for the user's login and password. Cuckoo Stealer has captured passwords by prompting victims with a "macOS needs to access System Settings" GUI window. Dok prompts the user for credentials. FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials. iKitten prompts the user for their credentials. Keydnap prompts the users for credentials. Proton prompts users for their credentials. RedCurl prompts the user for credentials through a Microsoft Outlook pop-up. SILENTTRINITY's credphisher.py module can prompt a current user for their credentials. XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment.

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP... Tomiris can upload files matching a hardcoded set of extensions... PowerShower packed and exfiltrated .txt, .pdf, .xls or .doc files smaller than 5MB modified during the past two days.

Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel... XCSSET retrieves files... then archives the files and exfiltrates the data over its C2 channel.

“This stage… download and run submodules… it calls… to obtain the configuration data from the C2 server; this data is decrypted…”

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

Multiple ransomware families and actors are described as encrypting victim filesystems/drives for extortion (e.g., Akira, Conti, Ryuk, WannaCry, NotPetya, etc.), often appending new extensions and dropping ransom notes.