Malware That Spreads Via Xcode Projects Now Targeting Apple’s M1-based Macs

Cyber Security

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple’s new M1 chips and expand its features to steal confidential information from cryptocurrency apps.

XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. The malware repackages payload modules to imitate legitimate Mac apps, which are ultimately responsible for infecting local Xcode projects and injecting the main payload to execute when the compromised project builds.

XCSSET modules come with the capabilities to steal credentials, capture screenshots, inject malicious JavaScript into websites, plunder user data from different apps, and even encrypt files for a ransom.

Then in March 2021, Kaspersky researchers uncovered XCSSET samples compiled for the new Apple M1 chips, suggesting that the malware campaign was not only ongoing but also that adversaries are actively adapting their executables and porting them to run on new Apple Silicon Macs natively.

The latest research by Trend Micro shows that XCSSET continues to abuse the development version of the Safari browser to plant JavaScript backdoors onto websites via Universal Cross-site Scripting (UXSS) attacks.

“It hosts Safari update packages in the [command-and-control] server, then downloads and installs packages for the user’s OS version,” Trend Micro researchers said in an analysis published on Friday. “To adapt to the newly-released Big Sur, new packages for ‘Safari 14’ were added.”

In addition to trojanizing Safari to exfiltrate data, the malware is also known for exploiting the remote debugging mode in other browsers such as Google Chrome, Brave, Microsoft Edge, Mozilla Firefox, Opera, Qihoo 360 Browser, and Yandex Browser to carry out UXSS attacks.

What’s more, the malware now even attempts to steal account information from multiple websites, including cryptocurrency trading platforms Huobi, Binance, NNCall.net, Envato, and 163.com, with abilities to replace the address in a user’s cryptocurrency wallet with those under the attacker’s control.

XCSSET’s mode of distribution via doctored Xcode projects poses a serious threat, as affected developers who unwittingly share their work on GitHub could pass on the malware to their users in the form of the compromised Xcode projects, leading to “a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects.”