XCSSET, Mac malware that is known to have been targeting Xcode developers now adds support for Apple’s new M1 chips. Its operators have also added the ability to steal confidential information from cryptocurrency apps.
In March 2021, Kaspersky researchers uncovered new XCSSET samples upgraded for the new Apple M1 chips.
At the time, Kaspersky predicted new XCSSET modifications would inspire other malware authors who would develop new variants targeting Alle’s new chips. “This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.”
“It hosts Safari update packages in the [command-and-control] server, then downloads and installs packages for the user’s OS version,” Trend Micro researchers said in an analysis published on Friday. “To adapt to the newly-released Big Sur, new packages for ‘Safari 14’ were added.”
In addition to trojanizing Safari, XCSSET now has features that can allow it to steal account information from multiple websites, including cryptocurrency trading platforms like Binance, NNCall.net, Huobi, Envato, and 163.com by replacing the address in a user’s cryptocurrency wallet with the attackers’ one.
Still, the distribution of XCSSET via doctored Xcode projects is a more serious threat, as affected developers can share their code on GitHub and in this way, spread the malware to their users in the compromised Xcode projects. This may lead to “a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects,” researchers explained.