Trojan:MacOS/Xcsset!rfn

Trojan:MacOS/Xcsset!rfn malware functions via a multi-stage infection chain that starts with compromising an Xcode project file. The first payload is part of the Xcode project; therefore, it is launched when the developer builds the infected example. The payload can be obfuscated with many layers of random Base64 encoding or can pass through xxd (hexdump) to avoid signature detection. An important aspect of this type of Xcode project is a substantial reliance on obfuscation, layers of encoding obfuscate the core payloads or transformations designed to avoid detection. The obfuscated core payloads pass as encoded and are simply decoded by the trojan, running the instructions in memory and favoring fileless launch as a method of reducing disk footprint. 

Upon launch, Trojan:MacOS/Xcsset!rfn establishes persistence through several parallel mechanisms. One common method involves the modification of shell configuration files; it creates a hidden file named ~/.zshrc_aliases containing its malicious script and then edits the main ~/.zshrc file to source this script every time a new terminal window is opened. Another technique involves manipulating the macOS dock using a command-line tool called dockutil to replace the legitimate Launchpad app with a malicious replica, ensuring it runs whenever the user clicks the icon.  

Variants that are more recent have been observed targeting developer workflows by installing malicious pre-commit hooks in Git repositories, reactivating the infection each time a developer attempts to commit code. 

The trojan drops several artifacts onto the macOS device. A counterfeit application bundle is created at /tmp/l.app, while core payload scripts are saved to paths like /tmp/b. To blend in, it also utilizes user cache directories, such as ~/Library/Caches/GeoServices/ or ~/Library/Caches/GitServices/, for storing components. The trojan's modules, which have obfuscated names like seizecj and txzx_vostfdi, handle specific tasks including data exfiltration and communication with command-and-control (C2) servers.  

The known infrastructure used by XCSSET includes domains like bulknames[.]ru, adobestats[.]com, and gismolow[.]com, which resolve to IP addresses such as 46[.]101.126[.]33 and 94[.]130.27[.]189. Through these channels, the malware exfiltrates stolen data and can download additional malicious modules to expand its capabilities on the compromised mac. 

Dropped files and artifacts: 

• ~/Library/Application Scripts/com.apple.CalendarAgent/ 
• /tmp/l.app 
• /tmp/b 
• a.scpt 
• seizecj  
• txzx_vostfdi 
• main.scpt 
• ~/Library/Caches/GitServices/ 

The trojan accesses or downloads from the following remote domains: 

• safariperks[.]ru 
• gismolow[.]com 
• superdocs[.]ru 
• adobestats[.]com 
• bulknames[.]ru 

The trojan communicates to the following hosts: 

• 46[.]101[.]126[.]33  
• 94[.]130[.]27[.]189 
• 45[.]82[.]153[.]92