XProtect Encryption Abuse

Created the Saturday 11 January 2025. Updated 4 days, 8 hours ago.

Malware can abuse Apple's macOS XProtect string encryption algorithm to hide critical strings, including commands, browser paths, extension IDs, cryptocurrency wallet locations, and command-and-control (C2) details.

This technique leverages the same XOR-based encryption logic implemented in macOS’s XProtect antivirus engine, this encryption is used for “encrypted YARA rules stored within the XProtect Remediator binaries”.

The encryption process involves XORing each byte of the string with a key derived from bitwise operations on an encryption key and the byte index. The decrypted output is only available in memory during execution, complicating detection by antivirus solutions.

The encrypted strings remain hidden in the malware's binary, and during runtime, a decryption function processes the strings, to reconstruct them in memory for use. For example, malware authors embed encrypted strings related to C2 server URLs or file paths, which are decrypted dynamically when required.

The combination of leveraging XProtect’s encryption logic and runtime decryption allows the malware to evade static analysis and signature-based detection methods.

Technique Identifier

U0711

Technique Tags

macOS malware XProtect string encryption

Code Snippets

Description

This decryption function, authored by Check Point Research, uses a bitwise right-shift and XOR operation with a provided encryption key to decrypt MacOS XProtect binaries and similar encrypted strings, terminating at the first null character.

def macos_xprotect_string_decryption(encrypted: bytes, encr_key: int) -> str:
    """
    Author: @Check Point Research
    Decrypts MacOS Xprotect binaries & Banshee Stealer encrypted strings.
    """
    decrypted = "".join(
        chr(
            (encr_key >> ((i * 8) & 0x38) & 0xFF) ^ encrypted[i]
        )
        for i in range(len(encrypted))
    )
    return decrypted.partition("\\x00")[0]

About Author Open Snippet

Author: None / Target Platform: Macos

Detection Rules

rule macos_XprotectDecryption
{
  meta:
    author = "Antonis Terefos @Tera0017 | modified by @fr0gger_"
    descr = "Detects macOS binaries and associated decryption algorithms"
    hahs = "ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038"
  
  strings:

    // Decryption algorithm patterns (x64 and ARM)
    $x64_code_str_decr1 = { 80 E1 ?? (48|49) 89 (DE|F0|FE) (48|49) D3 (EE|E8) (40|44) 30 ?? 48 83 C2 08 }
    $x64_code_str_decr2 = { 48 89 ?? 48 D3 [1-2] 30 ?? 48 83 C1 08 48 FF C? }
    $arm_code_str_decr1 = { 0B 09 7D 92 2B 25 CB 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38 08 21 00 91 }
    $arm_code_str_decr2 = { 2B 25 C8 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38 08 21 00 91 }
  
  condition:
    (uint32(0) == 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xBEBAFECA) and 
    (2 of ($x64_code_str_decr*) or 2 of ($arm_code_str_decr*))
}

Contributor

Thomas Roccia (fr0gger)

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-from-macos-xprotect/

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
ccf151ccc9b8dbecea4b18bcfd85...c9641b9d35a9d2bec05bf3ec25e1	1	2025-01-14	13 hours, 50 minutes ago
ce371a92e905d12cb16b5c273429...5485dda04bfedf002d2006856038	1	2025-01-11	4 days, 8 hours ago

View All