Just as software and hardware vendors push upgrades and updates for their products and services to stay secure against the latest threats, so do threat actors work as fast as possible to stay abreast of OS and version modifications. That’s exactly what the XCSSET malware operators have done for their campaigns targeting macOS users to continue working.

When macOS Monterey removed support for Python, so did XCSSET, which relied heavily on the language in the past. Otherwise, related campaigns won’t work against the users of the latest macOS.

Using the eight domains and one IP address identified by SentinelOne as indicators of compromise (IoCs) as a jump-off point, we discovered:

• Additional domains hosted on the same IP address
• More than 100 additional domains that contained the same strings as the IoCs
• Unredacted email addresses used to register the additional domains
• Nearly 1,000 additional domains that shared the unredacted email addresses
• More than 20 of the total number of additional domains dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Threat Analysis and Findings

We began our in-depth look at XCSSET by subjecting the eight domains identified as IoCs to Connected Domains API lookups and found that seven of them resolved to 45[.]82[.]153[.]92—also named an IoC. Only cosmodron[.]com didn’t resolve to the IP said address at any point in time.

Using 45[.]82[.]153[.]92 as a reverse IP lookup search string, meanwhile, allowed us to uncover an additional nine domains that haven’t been mentioned in XCSSET-related reports. These are:

• admobs[.]ru
• cosmodron[.]com
• linebrand[.]xyz
• melodyapps[.]ru
• monotel[.]xyz
• nodeline[.]xyz
• sidelink[.]xyz
• statsmag[.]ru
• yahooads[.]ru

We didn’t stop there, though, since we want to identify as many artifacts as possible to help users better protect against ongoing malicious campaigns.

We then sought to find domains that used the same strings as the IoCs and additional artifacts albeit different top-level domain (TLD) extensions. Using the strings “superdocs,” “melindas,” “kinksdoc,” “gurumades,” “gismolow,” “appledocs,” “adobefile,” “cosmodron,” “admobs,” “linebrand,” “melodyapps,” “monotel,” “nodeline,” “sidelink,” “statsmag,” and “yahooads”

as Domains & Subdomains Discovery search strings. That led to the discovery of 126 more artifacts.

Performing a bulk WHOIS lookup for all the domains found so far then uncovered six unredacted personal email addresses used to register the properties. These are:

• linxxxxx@gmail[.]com
• xxxxx@monotel[.]com[.]tr
• engineexxxxx@hotmail[.]com
• xxxxx@monotel[.]com
• suxxxxx@superior-docs[.]com
• domain-xxxxx@oath[.]com

Using these email addresses as reverse WHOIS search strings allowed us to uncover 900 additional domains.

After collating a total of 1,035 artifacts that haven’t been publicized in XCSSET-related reports, we ran them through a bulk malware check on Threat Intelligence Platform (TIP). We found that 23 of them hosted malware.

Concluding Thoughts

While the removal of support for Python on macOS Monterey may have stopped old XCSSET versions from affecting users, the malicious operators’ fast adaptation ensures the latest iteration of their malware will.

Security teams who wish to protect networked-connected Macs from XCSSET may be interested in monitoring access to and from the 1,000+ domains we identified as artifacts and block access to the 23 malicious domains.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.