XCSSET, Mac malware that is known to have been targeting Xcode developers now adds support for Apple’s new M1 chips. Its operators have also added the ability to steal confidential information from cryptocurrency apps.
XCSSET was first detected in August 2020 when attackers spread it via infected Xcode IDE projects. The malware exploited zero-day vulnerabilities and was disguised as legitimate Mac apps that injected the main payload into Xcode projects. XCSSET capabilities included credential theft, screenshot capture, collecting user data from different apps, injecting malicious JavaScript into websites, and encrypting files for a ransom.
In March 2021, Kaspersky researchers uncovered new XCSSET samples upgraded for the new Apple M1 chips.
At the time, Kaspersky predicted new XCSSET modifications would inspire other malware authors who would develop new variants targeting Alle’s new chips. “This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.”
In line with that prediction, Trend Micro report suggested that XCSSET operators continue to develop the tool and are abusing the development version of the Safari browser to plant JavaScript backdoors onto websites via UXSS attacks.
“It hosts Safari update packages in the [command-and-control] server, then downloads and installs packages for the user’s OS version,” Trend Micro researchers said in an analysis published on Friday. “To adapt to the newly-released Big Sur, new packages for ‘Safari 14’ were added.”
In addition to trojanizing Safari, XCSSET now has features that can allow it to steal account information from multiple websites, including cryptocurrency trading platforms like Binance, NNCall.net, Huobi, Envato, and 163.com by replacing the address in a user’s cryptocurrency wallet with the attackers’ one.
Still, the distribution of XCSSET via doctored Xcode projects is a more serious threat, as affected developers can share their code on GitHub and in this way, spread the malware to their users in the compromised Xcode projects. This may lead to “a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects,” researchers explained.