TTCSIRT-333.08.19.20: TT-CSIRT ADVISORY- MAC MALWARE XCSSET CAMPAIGN
Security researchers at Trend Micro have discovered a new campaign which utilizes developers as a means to spread the XCSSET suite of malware to unsuspecting Mac users.
While cybercriminals often use phishing emails and spam to spread other types of malware, this new campaign takes advantage of the fact that developers often share their work online in order to spread XCSSET.
Trend Micro has already discovered Xcode projects infected with XCSSET on GitHub as well as on VirusTotal which means that this new Mac malware is now making its way around the web.
Once XCSSET finds its way onto a vulnerable system, the malware targets any installed browsers and uses vulnerabilities to steal user data such as Google, Apple ID and PayPal usernames and passwords, as well as data from Skype, Telegram, Evernote and WeChat, and may even install ransomware.
On Safari, XCSSET takes advantage of a bug in the browser’s Data Vault as well a second vulnerability in the way the Safari WebKit operates.
The first bug allows the malware to circumvent macOS’ System Integrity Protection (SIP) feature to steal Safari cookies while the second bug allows an attacker to launch universal cross-site scripting (UXSS) attacks.
According to Trend Micro, the UXSS bug can be used to steal user’s information but also to modify browser sessions to display malicious websites, change cryptocurrency wallet addresses, harvest credit card information from the App Store and steal credentials from a variety of other sources such as Apple ID, Google, PayPal and Yandex.
The malware was first found inside developer’s Xcode projects. Xcode is a free integrated development environment (IDE) used by developers on macOS to create applications for iPhone, iPad, Mac, Apple Watch, and Apple TV.
To protect yourself, make sure you’re running some of the best Mac antivirus software, because Apple’s built-in defenses may not be able to catch the malware. You also might want to install apps only from Apple’s own App Store for the time being.
The Trinidad and Tobago Cyber Security Incident Response Team (TTCSIRT) encourages users and administrators to review and apply the necessary updates.
If you have any queries or comments with regards to this advisory, please feel free to contact TTCSIRT via firstname.lastname@example.org