Trend Micro researchers have found a new macOS malware that’s being distributed cleverly. Named as XCSSET, this malware is somehow injected into the Xcode projects of developers, which will be activated when the project started to run. It also exploits two zero-day vulnerabilities to steal data and run remote malicious code in the host system.
New Malware and Zero-day Bugs Found in macOS and Safari
While it’s true that Apple devices are better secured than Android or Windows machines, any bug or malware crafted for exploiting Apple products won’t go that easily. A new malware named XCSSET found by Trend Micro team has been infecting the Xcode projects of developers.
The Xcode is an integrated environment of tools to help developers build apps and softwares for Apple platforms like iOS, macOS, iPad os, WatchOS etc. And now, the XCSSET malware is somehow infecting all those Xcode projects developed by developers. Researchers say it could form like a supply-chain attack, since external other developers may pick parts of the infected Xcode projects to build their products.
Appreciating the clever distribution strategy, this malware would be running when the program/project starts and is capable of exploiting two zero-day vulnerabilities. The first of the two bugs were found in Safari browser, where this malware can trigger the flaw in Data Vault, and bypass macOS protection to access Safari cookie files.
And the second vulnerability is found in Safari WebKit, which should be asking the user for his password when launched, but the bug within let the malware bypass and execute malicious operations via the un-sandboxed Safari browser. Exploiting these can let the attacker read and dump the Safari data, which may contain Apple Store credit card information, credentials from sources including Apple ID, Google, Paypal, and Yandex.
Also, it’s capable of modifying the sessions of Safari to display malicious websites and change cryptocurrency wallet addresses. Researchers said it can steal user data like including Evernote content, Notes information, and communication from Skype, Telegram, QQ, and WeChat applications.