- Okuhlukile okusha kwe-XCSSET ene-obfuscation ethuthukisiwe nokuphikelela okuningi (zshrc, Dock kanye ne-LaunchDaemon).
- Inweba ukwebiwa kwedatha kuFirefox futhi yengeza i-clipper ukuze ichezukise ukuthengiselana kwe-crypto ku- ibhodi yokunameka.
- Ukutheleleka kwamaphrojekthi we-Xcode okwabelwana ngawo: I-AppleScript esebenza kuphela, amamojula aqanjwe kabusha, kanye nokukhishwa kwe-C2.
- Izincomo: Buyekeza i-macOS, hlola amaphrojekthi ngaphambi kokwakha, futhi uqaphe i-osascript/dockutil.
Umndeni ka I-malware I-XCSSET ye-macOS ibuyile nokuhlukile okuthuthukisiwe, futhi akuyona into encane: I-Microsoft Threat Intelligence ikhombe izinguquko eziphawulekayo kumasu okudala, ukuphikelela, kanye nokwebiwa kwedatha. lokho kuphakamisa izinga kulo muntu omdala engimaziyo. Uma usebenza ne-Xcode noma wabelana ngamaphrojekthi phakathi kwamaqembu, uzofuna ukuhlala wazi ngalokho okwenzekayo.
Selokhu yatholwa ngo-2020, i-XCSSET ibizivumelanisa nezimo ku-Apple ecosystem. Okubonwayo manje ukwahluka okusha okubhalwe esidlangalaleni kusukela ngo-2022., kutholwe ekuhlaselweni okulinganiselwe kodwa ngamakhono anwetshiwe. Lolu uhlelo olungayilungele ikhompuyutha olungena ngokunyenya kumaphrojekthi we-Xcode ukuze lukhokhele lapho luhlanganiswa, futhi kulokhu kuphindaphindwa, luhlanganisa amaqhinga amaningi okuzifihla futhi aqhubeke.
Iyini i-XCSSET futhi kungani isakazeka kahle kangaka?
Empeleni, i-XCSSET isethi yamamojula anonya eklanyelwe ukuthelela amaphrojekthi we-Xcode futhi wenze imisebenzi yawo isebenze ngesikhathi sokwakhaIvektha yokusakaza ekholeka kakhulu ukwabelana kwamafayela ephrojekthi phakathi konjiniyela ababambisene. Izinhlelo zokusebenza ye-macOS, ephindaphinda amathuba wokwenza esakhiweni ngasinye.
Lolu hlelo olungayilungele ikhompuyutha ngokomlando lukwazile ukuxhaphaza ubungozi bezinsuku eziyiziro, faka ikhodi kumaphrojekthi futhi uze wethule izinto ezingemuva ezingxenyeni ze-Apple ecosystem njengeSafariKukho konke ukuvela kwayo, ingeze nokuhambisana nezinguqulo ezintsha ze-macOS kanye ne-Apple Silicon (M1) yezakhiwo, ekhombisa ukuguquguquka okumangalisayo.
Phansi, i-XCSSET isebenza njenge isela lolwazi kanye cryptocurrencies: iyakwazi ukuqoqa idatha ezinhlelweni ezidumile (Evernote, Notes, Skype, Telegraph, QQ, WeChat nokunye okwengeziwe), khipha amafayela esistimu nawohlelo lokusebenza, futhi uqondise ngokuqondile izikhwama zedijithali. Ukwengeza, ezinye izinhlobo ziye zabonisa Izithombe-skrini ezingagunyaziwe, ukubethela kwefayela, nokusetshenziswa kwenothi lesihlengo.
Yini entsha kokuhlukile kwakamuva
I-Microsoft inemininingwane yokuthi ukwahluka kwakamuva kuhlanganisa Izindlela ezintsha ze-obfuscation, ukuphikelela kanye namasu okutheleleka. Asisakhulumi nje ngokushintsha amagama noma ukucindezelwa kwekhodi: manje sekunokungahleliwe okwengeziwe ngendlela ekhiqiza ngayo imithwalo yayo ekhokhelwayo ukungcolisa amaphrojekthi e-Xcode.
Ushintsho oluphawulekayo ukusetshenziswa okuhlangene kwamasu okubhala amakhodi. Ngenkathi ukuphindaphinda kwangaphambilini kuncike kuphela ku-xxd (hexdump), Inguqulo entsha yengeza i-Base64 futhi isebenzisa inombolo engahleliwe yokuphindaphinda, okwenza kube nzima ukubona nokuqaqa umthwalo.
Amagama angaphakathi amamojula nawo afihleke kakhulu kunangaphambili: Bacashile ezingeni lekhodi ukuze bafihle inhloso yaboLokhu kwenza kube nzima ukuhlaziya okumile kanye nokuhlobana phakathi kwemisebenzi nemiphumela ebonakalayo ohlelweni.
Ukuphikelela: “zshrc” kanye “nedokhi” izindlela
Olunye lwezimpawu zalokhu kubuya kwe-XCSSET izindlela ezimbili ezihluke kakhulu zokuhlala uphila ngemva kokutheleleka. Indlela ye-“zshrc” isebenzisa ukucushwa kwegobolondo ukuze kusebenze ngokuzenzekelayo kuseshini ngayinye, futhi indlela “yedokhi” ixhaphaza izinqamuleli zesistimu ukuze ikhiphe ukukhokha okunonya ngokusobala kumsebenzisi.
Ngendlela "zshrc", uhlelo olungayilungele ikhompuyutha ludala ifayela elibizwa ngokuthi ~/.zshrc_aliases ngomthwalo okhokhelwayo bese wengeza umyalo kokuthi ~/.zshrc oqinisekisa ukuthi ifayela liyalayishwa njalo uma kuvulwa iseshini entsha. Lokhu kuqinisekisa ukuphikelela kuwo wonke amatheminali ngaphandle kokuveza izinsolo ezisobala.
Uhlelo “lokudokha” lubandakanya ukulanda ithuluzi elisayiniwe kumyalo nokulawula iseva, dockutil, ukuphatha izici zeDokhi. Ibese idala uhlelo lokusebenza lwe-Launchpad engelona iqiniso futhi ingena esikhundleni somzila we-Launchpad esemthethweni kuDokhi ngalolo hlelo lokusebenza olungelona iqiniso. Umphumela: ngaso sonke isikhathi lapho umsebenzisi ethula i-Launchpad esuka kuDokhi, eyangempela iyavuleka futhi, ngokufana, inkokhelo enonya iyasebenza.
Njengokuqiniswa, okuhlukile kuyethula Indlela entsha yokunquma ukuthi kuphrojekthi ye-Xcode uzowufaka kuphi umthwalo okhokhelwayoLokhu kuthuthukisa umthelela futhi kunciphisa amathuba okuthi unjiniyela abone okuthile okungajwayelekile lapho ebuyekeza isihlahla sephrojekthi.
I-AppleScript, ukubulawa ngokuyimfihlo, kanye neketango lokutheleleka
Ucwaningo lweMicrosoft luchaza ukuthi i-XCSSET isebenzisa I-AppleScripts ihlanganiswe ngemodi yokuqalisa kuphela ukugijima buthule futhi uvimbele ukuhlaziya okuqondile ekuvezeni elikuqukethe. Le nqubo ihambisana nomgomo wayo wokungabonakali kanye nokugwema amathuluzi okuhlola umbhalo.
Esigabeni sesine sochungechunge lokutheleleka, kuyabonwa ukuthi Uhlelo lokusebenza lwe-AppleScript lusebenzisa umyalo wegobolondo ukulanda isigaba sokugcinaLe AppleScript yokugcina iqoqa ulwazi kusuka kusistimu esengozini kanye namamojula ebhuthi ngokufaka umsebenzi we-boot(), ohlela ukuthunyelwa kwemojula yamakhono.
Izinguquko ezinengqondo nazo zitholiwe: Ukuhlola okwengeziwe kwesiphequluli seFirefox kanye nendlela ehlukile yokuqinisekisa ubukhona bohlelo lokusebenza lwemiyalezo yeTelegramu. Lena akuyona imininingwane emincane; zikhombisa inhloso ecacile yokwenza ukuqoqwa kwedatha kuthembeke kakhulu futhi kwandise ububanzi bayo.
Amamojula aqanjwe kabusha nezingxenye ezintsha
Ngokubukezwa ngakunye, umndeni we-XCSSET uguqule kancane amagama amamojula awo, umdlalo wekati wakudala kanye negundane ukuze yenza kube nzima ukulandelela izinguqulo namasignesha. Noma kunjalo, ukusebenza kwayo ngokuvamile kuhlala kuvumelana.
Phakathi kwamamojula agqanyisiwe alokhu okuhlukile kuvela izihlonzi ezifana nalezi zweqj (ngaphambili seizecj), okuyinto landa enye imojuli ebizwa ngokuthi bnk bese uyiqhuba usebenzisa i-osascript. Lokhu iskripthi yengeza ukuqinisekiswa kwedatha, ukubethela, ukususa ukubethela, ukulanda okuqukethwe okwengeziwe ku-C2, namandla okugawula imicimbi, futhi ihlanganisa ingxenye ethi "clipper".
Kuyashiwo futhi neq_cdyd_ilvcmwx, efana ne-txzx_vostfdi, enesibopho salokho khipha amafayela kumyalo kanye neseva yokulawula; imojuli xmiyeqjx lokho kulungiselela i Qalisa ukuphikelela okusekelwe kuDaemon; jey (ngaphambilini i-jez) elungiselela i-a ukuphikelela nge-Git; futhi iewmilh_cdyd, onesibopho sokweba idatha kuFirefox esebenzisa inguqulo elungisiwe yethuluzi lomphakathi le-HackBrowserData.
- zweqj: imojula yolwazi; landa futhi usebenzise bnk, ihlanganisa isiqeshana nokubethela.
- neq_cdyd_ilvcmwx: ukukhishwa kwamafayela ku-C2.
- xmiyeqjx: ukuphikelela nge-LaunchDaemon.
- jey: ukuphikelela nge-Git.
- iewmilh_cdyd: Ukwebiwa kwedatha yeFirefox ene-HackBrowserData eguquliwe.
Ukugxila kuFirefox kubaluleke kakhulu, ngoba inweba ukufinyelela ngale kwe-Chromium ne-SafariLokhu kusho ukuthi izinhlobonhlobo zabangase babe izisulu ziyakhula, futhi amasu okuqinisekisa kanye nokukhipha amakhukhi ayathuthukiswa ezinjinini zeziphequluli eziningi.
Ukwebiwa kwe-Cryptocurrency kusetshenziswa ukudunwa kwebhodi lokunamathisela
Elinye lamakhono akhathaza kakhulu kulokhu kuguquguquka yimojula ye-"clipper". Iqapha ibhodi lokunamathisela ukuze uthole izinkulumo ezivamile ezifana namakheli e-cryptocurrency (amafomethi ahlukahlukene we-wallet). Lapho nje ithola okufanayo, ngokushesha ifaka ikheli elilawulwa umhlaseli.
Lokhu kuhlasela akudingi amalungelo aphakeme ukuze kudaleke umonakalo: Isisulu sikopisha ikheli laso esikhwameni saso, silinamathisele ukuze sithumele izimali, bese sidlulisela kumhlaseli ngokungazi.Njengoba ithimba le-Microsoft labonisa, lokhu kuqeda ukuthembela kokuthile okuyisisekelo njengokukopisha nokunamathisela.
Inhlanganisela yokunamathisela kanye nokwebiwa kwedatha yesiphequluli kwenza i-XCSSET a Usongo olusebenzayo kuma-cybercriminals lugxile ezimpahleni ze-cryptoBangakwazi ukuthola amakhukhi esikhathi, amaphasiwedi alondoloziwe, futhi baqondise kabusha imisebenzi ngaphandle kokuthinta ibhalansi ebonakalayo yesisulu kuze kushaye isikhathi sokushicilela.
Amanye amaqhinga okuphikelela nokuzifihla
Ngokungeziwe kokuthi “zshrc” kanye “nedokhi,” iMicrosoft ichaza ukuthi lokhu okuhlukile kuyengeza Okufakiwe kwe-LaunchDaemon esebenzisa umthwalo okhokhayo kokuthi ~/.rootLe nqubo iqinisekisa ukuqalisa kwangaphambi kwesikhathi futhi okuzinzile futhi izifihla phakathi kwesiphithiphithi samasevisi esistimu alayishwa ngemuva.
Ukudalwa kwe-a nakho kuye kwabonwa I-Spoofed System Settings.app ku-/tmp, okuvumela uhlelo olungayilungele ikhompuyutha ukuthi lufihle umsebenzi walo ngaphansi kokucasha uhlelo lokusebenza lwesistimu olusemthethweni. Lolu hlobo lokuzenza ongeyena lusiza ukugwema izinsolo lapho kuhlolwa izinqubo noma izindlela phakathi nokwenza okungahleliwe.
Ngokuhambisanayo, umsebenzi we-XCSSET we-obfuscation ubuyele obala: Ukubethela okuyinkimbinkimbi, amagama emojuli angahleliwe, nama-AppleScript asebenza kuphelaYonke into ikhomba ekwandiseni isikhathi sokuphila somkhankaso ngaphambi kokuthi ususwe amasignesha nemithetho yokuthola.
Amandla omlando: ngale kwesiphequluli
Uma ubheka emuva, i-XCSSET ayigcinanga nje ngokukhipha iziphequluli. Ikhono layo loku khipha idatha kuzinhlelo zokusebenza ezifana i-Google Chrome, Opera, Telegram, Evernote, Skype, WeChat kanye nezinhlelo zokusebenza ze-Apple ezifana Oxhumana Nabo NamanothiOkusho ukuthi, ububanzi bemithombo efaka phakathi imilayezo, ukukhiqiza, nedatha yomuntu siqu.
Ngo-2021, imibiko efana neka-Jamf yachaza ukuthi i-XCSSET yaxhashazwa kanjani I-CVE-2021-30713, uhlaka lwe-TCC oludlulayo, ukuphuza izithombe-skrini zedeskithophu ngaphandle kokucela imvume. Leli khono lihambisana nenjongo ecacile: hlola futhi uqoqe izinto ezibucayi ngokungqubuzana okuncane komsebenzisi.
Ngokuhamba kwesikhathi, uhlelo olungayilungele ikhompuyutha lulungiselwe ukuhambisana kwe-macOS Monterey kanye nama-chips e-M1, into egcizelelayo ukuqhubeka nokugcinwa ngabahlaseliKuze kube namuhla, umsuka wangempela womsebenzi awukacaci.
Ingena kanjani kumaphrojekthi we-Xcode
Ukusatshalaliswa kwe-XCSSET akucaciswanga ngemilimitha, kodwa yonke into ikhombisa lokho Thatha ithuba lokwabelana ngephrojekthi ye-Xcode phakathi konjiniyelaUma inqolobane noma iphakheji isivele isengozini, noma yikuphi ukwakha okulandelayo kusebenzisa ikhodi enonya.
Le phethini ishintsha amaqembu okuthuthukisa abe yiqembu ama-propagation vectors anelungelo, ikakhulukazi ezindaweni ezinemikhuba yokuhlola ukuncika okuxegayo, imibhalo yokwakha, noma izifanekiso ezabiwe. Kuyisikhumbuzo sokuthi software supply chain isiphenduke inhloso eqhubekayo.
Uma kubhekwa lesi simo, kunengqondo ukuthi okuhlukile okusha kuyaqina umqondo wokunquma ukuthi uzoyifaka kuphi imithwalo ekhokhelwayo ngaphakathi kwephrojekthiLapho kuvela indawo yakho “yemvelo” kakhulu, mancane amathuba okuthi unjiniyela azoyibona lapho eskena ngokushesha.
I-ergonomics yokuhlasela: amaphutha, izigaba nezimpawu
IMicrosoft isivele imemezele ukuthuthukiswa kwe-XCSSET ekuqaleni kwalo nyaka. ukuphathwa kwamaphutha nokuphikelela. Okubalulekile ukuthi manje ingena ochungechungeni lokutheleleka ngesinyathelo ngesinyathelo: i-AppleScript eyethula umyalo wegobolondo, olanda enye i-AppleScript yokugcina, yona nayo. iqoqa ulwazi lwesistimu futhi yethule ama-submodule.
Uma ufuna izimpawu, ukuba khona ~/.zshrc_aliases, izikhohlisi ku-~/.zshrc, okufakiwe okusolisayo kokuthi LaunchDaemons, noma i-System Settings.app engavamile ku-/tmp Lezi yizinkomba okufanele uziqaphele. Noma yimuphi umsebenzi odidayo kuDokhi (isb., izindlela ezifakwe esikhundleni se-Launchpad) kufanele futhi ucuphe ama-alamu.
Ezindaweni eziphethwe, ama-SOC kufanele alinganise imithetho elandelwayo I-osascript engajwayelekile, izingcingo eziphindaphindiwe eziya ku-dockutil, kanye nama-artifact anekhodi ye-Base64 noma abethelwe exhunywe kuzinqubo zokwakha ze-Xcode nokusebenzisa amathuluzi ukuze buka izinqubo ezisebenzayo ku-macOS. Umongo wokuhlanganiswa uyisihluthulelo sokunciphisa imibono engamanga.
I-XCSSET iqonde bani?
Ukugxila kwemvelo yilabo abathuthukisa noma abahlanganisa ne-Xcode, kodwa umthelela ungadlulela kubasebenzisi abanjalo faka izinhlelo zokusebenza ezakhelwe ngaphakathi kusuka kumaphrojekthi angcolile. Ucezu lwezezimali luvela ku- ukudunwa kwebhodi lokunamathisela, efanelekile ikakhulukazi kulabo abaphatha ama-cryptocurrencies njalo.
Ku-data sphere, i- ukukhishwa kuFirefox nezinye izinhlelo zokusebenza ibeka imininingwane, amakhukhi esikhathi, namanothi omuntu siqu engcupheni. Engeza kulokhu amakhono wefa we izithombe-skrini, ukubethela kwefayela, namanothi esihlengo, isithombe singaphezu kokuphelela.
Ukuhlasela okutholiwe kuze kube manje kubonakala kunjalo kunqunyelwe kububanzi, kodwa njengoba kuvame ukuba njalo, isilinganiso sangempela somkhankaso singase sithathe isikhathi ukuvela. I-modularity isiza ukuphindaphinda okusheshayo, ukuguqulwa kwamagama, kanye ukulungisa kahle ukugwema ukutholwa.
Izincomo ezisebenzayo zokunciphisa ubungozi
Okokuqala, buyekeza isiyalo: Gcina ama-macOS nezinhlelo zokusebenza kusesikhathini samanje futhi ucabange izixazululo ze-antimalware. I-XCSSET isivele isebenzise ubungozi, okuhlanganisa nezinsuku eziyiziro, ngakho ukuthuthukela enguqulweni yakamuva kunciphisa kakhulu indawo yokuhlasela.
Okwesibili, hlola amaphrojekthi we-Xcode oyilandayo noma oyifanisayo kumakhosombe, futhi ukuqaphele kakhulu okuhlanganisayo. Buyekeza imibhalo yokwakha, Qalisa Izigaba Zeskripthi, ukuncika kanye nanoma imaphi amafayela asetshenziswa enqubweni yokwakha.
Okwesithathu, qaphela ibhodi lokunamathisela. Gwema ukukopisha/ukunamathisela amakheli e-wallet angaqinisekisiwe: Hlola kabili uhlamvu lokuqala nelokugcina ngaphambi kokuqinisekisa okwenziwayo. Kuyisenzo esincane esingakongela izinkinga eziningi.
Okwesine, i-telemetry nokuzingela. Iqapha i-osascript, i-dockutil, ishintshela kokuthi ~/.zshrc, kanye ne-LaunchDaemonsUma uphatha izimoto, hlanganisa imithetho ye-EDR ethola ama-AppleScript ahlanganisiwe angajwayelekile noma ukulayisha okuphindaphindwayo okunamakhodi ezinqubweni zokwakha.
Umbhali oshisekayo ngomhlaba wamabhayithi nobuchwepheshe ngokujwayelekile. Ngiyathanda ukwabelana ngolwazi lwami ngokubhala, futhi yilokho engizokwenza kule bhulogi, ngikubonise zonke izinto ezithakazelisayo kakhulu ngamagajethi, isofthiwe, ihadiwe, izitayela zobuchwepheshe, nokuningi. Inhloso yami ukukusiza ukuthi uzulazule emhlabeni wedijithali ngendlela elula nejabulisayo.