Security researchers have revealed new research regarding XCSSET that now targets Apple’s macOS 11 and M1-based Macs. XCSSET had historically targeted Xcode projects to deliver malicious payloads.
According to Trend Micro researchers, XCSSET has evolved to work on both ARM64 and x86_x64 Macs and also used to download other payloads.
Last August, the malware was spotted inserting malicious code into XCode projects and also leveraged two zero-days to exploit a flaw in Data Vaults and plant a JavaScript backdoor in Safari. This type of threat posed a risk to Xcode developers since they share their projects via GitHub. As a result, the malware infected code can lead to a “supply-chain” type attack against other users or organizations that rely on the code repositories.
Just last month, Kaspersky discovered newly discovered samples of XCSSET malware can run on Macs with the ARM-based M1 processors. Trend Micro then recently analyzed samples from a command-and-control (C2) server and found XCSSET not only adapted support for M1 chips, but also added “big changes” for macOS 11 Big Sur.
“This malware leverages the development version of Safari to load malicious Safari frameworks and related JavaScript backdoors from its C&C server. It hosts Safari update packages in the C&C server, then downloads and installs packages for the user’s OS version,” Trend Micro wrote in a blog post.
Moreover, the XCSSET leverages a safari_remote.applescript to download packages such as “Safari 14” and malicious AppleScript files, as well as icons used to disguise the malware as legitimate apps.
Trend Micro also clarified that although the newer macOS 11 does have a new security feature to prevent code modifications, it “doesn’t apply to translated x86 binaries that run under Rosetta 2, nor a macOS 11 that runs on an Intel-based platform.”
Finally, XCSSET’s fake apps and files are code signed using the codesign –force –deep -s – command to cleverly bypass macOS 11 security policies.
Readers can check out the full Trend Micro report for more details on the latest XCSSET malware samples and findings.