GET /api/techniques/389/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 389,
"key": "xprotect-encryption-abuse",
"unprotect_id": "U0711",
"name": "XProtect Encryption Abuse",
"description": "Malware can abuse Apple's macOS XProtect string encryption algorithm to hide critical strings, including commands, browser paths, extension IDs, cryptocurrency wallet locations, and command-and-control (C2) details. \r\n\r\nThis technique leverages the same XOR-based encryption logic implemented in macOS’s XProtect antivirus engine, this encryption is used for “encrypted YARA rules stored within the XProtect Remediator binaries”.\r\n\r\nThe encryption process involves XORing each byte of the string with a key derived from bitwise operations on an encryption key and the byte index. The decrypted output is only available in memory during execution, complicating detection by antivirus solutions.\r\n\r\nThe encrypted strings remain hidden in the malware's binary, and during runtime, a decryption function processes the strings, to reconstruct them in memory for use. For example, malware authors embed encrypted strings related to C2 server URLs or file paths, which are decrypted dynamically when required. \r\n\r\nThe combination of leveraging XProtect’s encryption logic and runtime decryption allows the malware to evade static analysis and signature-based detection methods.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-from-macos-xprotect/",
"creation_date": "2025-01-11T03:49:23.825089Z",
"tags": "macOS, malware, XProtect, string encryption,",
"modification_date": "2025-01-11T04:03:24.710956Z",
"category": [
7
],
"rules": [
165
],
"attachments": [],
"featured_api": [],
"contributors": [
5
]
}
