Kaspersky’s researchers report a new variant of the XCSSET Mac malware that is targeting devices running on Apple’s new M1 chips.
First discovered by Trend Micro in August 2020, XCSSET is a Mac malware that exploits zero-day vulnerabilities to steal sensitive information and launch ransomware attacks. The malware was spotted stealing data from such popular applications as Evernote, Skype, Notes, QQ, WeChat, and Telegram. The malware can also capture screenshots, exfiltrate stolen documents to the attackers, and encrypt files and display a ransom note.
The malware can also replace cryptocurrency addresses and steal credentials for online services (Paypal, amoCRM, Apple ID, Google, SIPMarket, and Yandex) and payment card information from the Apple Store. It does this by launching universal cross-site scripting (UXSS) attacks and injecting JavaScript code into the browser while the victim visits specific websites.
However, those are capabilities of the original variant of XCSSET. Recently, Kaspersky discovered a new variant compiled for devices running on the new Apple M1 chips.
“While exploring the various executable modules of XCSSET, we found out that some of them also contained samples compiled specially for new Apple Silicon chips. For example, a sample with the MD5 hash sum 914e49921c19fffd7443deee6ee161a4 contains two architectures: x86_64 and ARM64,” states a report recently published by Kaspersky.
The first hash sum corresponds to Intel-based Mac computers, and the second one is for ARM64 architecture which means XCSSET can now run on computers with M1 chip.
Experts from Kaspersky suppose that the XCSSET campaign is likely still ongoing and multiple malware authors are recompiling Mac malware to run on new Apple Macs M1 chips.
This is not the first time malware specifically designed for M1 chips was spotted.
In January, the popular security researcher Patrick Wardle discovered one of the first malware designed to target M1 chips. Later in February, researchers at Red Canary uncovered another malware, Silver Sparrow, that we’ve reported about.
Kaspersky believes such examples will inspire other malware authors to develop new variants targeting Alle’s new chips.
“This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.”
“With the new M1 chip, Apple has certainly pushed its performance and energy saving limits on Mac computers, but malware developers kept an eye on those innovations and quickly adapted their executables to Apple Silicon by porting the code to the ARM64 architecture,” Kaspersky concludes.
