XCSSET Mac Malware Spreads Via Compromised Xcode Projects

Summary

Researchers at Trend Micro detailed a Mac malware, known as XCSSET, that exploits Xcode projects to compromise Safari and other web browsers. The Xcode projects are modified in order to run malicious code as the projects are built, leading to the download of the XCSSET malware. When compromising the Safari browser, the malware exploits two vulnerabilities, one in Data Vault and another in WebKit. The vulnerabilities allow Safari cookies to be read and used to inject JavaScript backdoors into display pages through a Universal Cross-Site Scripting (UCSS) attack. XCSSET provides threat actors the ability to view general user information, modify browser sessions, change cryptocurrency wallets, obtain Apple Store payment card data, steal credentials from various sources, take screenshots, upload files, and view communications from applications such as Skype, Telegram, QQ, and WeChat. The malware also contains a ransomware module. Xcode project developers may inadvertently distribute the malware through the sharing of their compromised projects.

Recommendations

The NJCCIC recommends reviewing the Trend Micro blog post and related technical brief, and using the indicators of compromise (IOCs) provided for detection purposes. Users are advised to only download apps and other software via legitimate marketplaces and sources.