Security researchers at Trend Micro have discovered a new campaign which utilizes developers as a means to spread the XCSSET suite of malware to unsuspecting Mac users.
The malware, which can also be used to deploy ransomware, was first found inside developer’s Xcode projects. Xcode is a free integrated development environment (IDE) used by developers on macOS to create applications for iPhone, iPad, Mac, Apple Watch, and Apple TV. Trend Micro’s researchers provided further insight on their discovery in a blog post, saying:
“This scenario is quite unusual; in this case, malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates since we have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. We have also identified this threat in sources such as VirusTotal, which indicates this threat is at large.”
While cybercriminals often use phishing emails and spam to spread other types of malware, this new campaign takes advantage of the fact that developers often share their work online in order to spread XCSSET. Trend Micro has already discovered Xcode projects infected with XCSSET on GitHub as well as on VirusTotal which means that this new Mac malware is now making its way around the web.
Once XCSSET finds its way onto a vulnerable system, the malware targets any installed browsers and uses vulnerabilities to steal user data. On Safari, XCSSET takes advantage of a bug in the browser’s Data Vault as well a second vulnerability in the way the Safari WebKit operates. The first bug allows the malware to circumvent macOS’ System Integrity Protection (SIP) feature to steal Safari cookies while the second bug allows an attacker to launch universal cross-site scripting (UXSS) attacks.
According to Trend Micro, the UXSS bug can be used to steal user’s information but also to modify browser sessions to display malicious websites, change cryptocurrency wallet addresses, harvest credit card information from the App Store and steal credentials from a variety of other sources such as Apple ID, Google, PayPal and Yandex.
In order to avoid accidentally spreading the XCSSET malware, Trend Micro recommends that Xcode project owners triple-check the integrity of their projects “in order to definitely nip unwarranted problems such as malware infection in the future”.