A new family of malware exploits Xcode and can lead to a “rabbit-hole” of payloads. The malware, named XCSSET, avoids infecting individual users and instead burrows itself inside the Xcode framework. It does this initially, so later it can be delivered in supply chain-like attacks.
Xcode is a free Integrated Development Environment, or IDE, for macOS and used for software development within the Apple ecosystem. At this point, how XCSSET Malware burrows inside and modifies the Xcode to run its corrupted code with a project is not yet known. This results in developers unwittingly spreading malware infections to their users. Unfortunately, there have already been a number of developers who have uploaded compromised Xcode projects to GitHub.
XCSSET Malware Exploits Safari Vulnerabilities
XCSSET malware compromises the Safari browser via two previously undiscovered vulnerabilities. The first of the zero-day bugs bypasses the System Integrity Protection, or SIP, feature designed to protect the Safari cookies file located in /Library/Cookies/Cookies.binarycookies via an SSHD process. The second zero-day flaw is associated with the Safari WebKit for Developers. This flaw allows XCSSET to bypass the WebKit credentials and begin performing adverse operations without approval.
Additionally, information can also be exfiltrated from applications including Skype, WeChat, QQ, and Telegram. XCSSET Malware also operates like a traditional ransomware threat with file encryption capabilities and a standard ransom note.
XCSSET Malware Attacks macOS 11
Trend Micro researchers discovered that an update for XCSSET malware could circumvent macOS 11’s new security policies. According to Trend Micro researchers, “The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system’s built-in open command to run the apps.”
Unlike the previous version, the new and improved XCSSET now steals confidential data from sites such as 163.com, huobi.com, binance.com, nncall.net, envato.com, and login.live.com. On cryptocurrency trading platform Huobi, XCSSETsteals account information and replaces addresses in the victim’s cryptocurrency wallet.