Morioh
Login
Hollie Ratke

Hollie Ratke

3 years ago

A campaign aimed at Mac users is spreading the XCSSET suite of malware, which has the capability to hijack the Safari web browser and inject various JavaScript payloads that can steal passwords, financial data and personal information, deploy ransomware and more.

Infections are propagating via Xcode developer projects, researchers noted; the cybercriminals behind the campaign are injecting the malware into them, according to Trend Micro. Xcode consists of a suite of free, open software development tools developed by Apple for creating software for macOS, iOS, iPadOS, watchOS and tvOS. Thus, any apps built on top of the projects automatically include the malicious code.

The initial discovery of the threat came when “we learned that a developer’s Xcode project at large contained the source malware — which leads to a rabbit hole of malicious payloads,” according to an analysis [PDF] from Trend Micro, released on Friday. “The threat escalates when affected developers share their projects via platforms such as GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. We have also identified this threat in other sources including VirusTotal and Github, which indicates this threat is at large.”

The initial payload tucked into the projects comes in the form of a Mach-O executable. The researchers were able to trace an infected project’s Xcode work data files and found a hidden folder containing Mach-O, located in one of the .xcodeproj files.

When executed, the Mach-O malware connects to a hardcoded command-and-control (C2) server address, and begins to take screenshots of the current desktop at the rate of once a minute; once a new screenshot is taken, the previous one is deleted, the analysis noted.

However, Mach-O’s main purpose is to download and run the second-stage payload, an AppleScript file called main.scpt, which carries out most of the malicious behavior.

The research noted that when the “Main” payload is executed, it first harvests basic system information of the infected user, then kills certain running processes if present, including various browsers (Opera, Edge, Firefox, Yandex and Brave) as well as “com.apple.core,” “com.oracle.java” and others.

The payload then gets down to real business, obtaining and compiling malicious code into a Mac app package. The package name is mapped to an installed, well-known application name, such as Safari. Researchers detailed that it then replaces the app’s corresponding icon file and “Info.plist” to make the fake app look like a real, normal app –and thus, users go to open the normal app, the malicious one opens instead.

According to the analysis, when opened, the fake app package’s malicious capabilities are then executed, in the form of deploying a raft of modules used for various goals: Taking over browsers; stealing information from installed apps including Evernote, Skype and Telegram; and spreading to other hosts. It also has ransomware modules that it can deploy and dozens of other capabilities. Below is a partial list:

#malware #vulnerabilities #web security #browser hijack #cookies #developer projects #fake app #mac #mach-o #macos #malware #ransomware #spyware #trend micro #xcode projects #xcsset #zero day exploits

Mac Users Targeted by Spyware Spreading via Xcode Projects

threatpost.com

Mac Users Targeted by Spyware Spreading via Xcode Projects

The XCSSET suite of malware also hijacks browsers, has a ransomware module and more — and uses a pair of zero-day exploits.

1.15 GEEK