XCSSET Malware Can Adapt to Target More MacsTrend Micro Describes the Evolving Threat
The XCSSET malware campaign can now adapt to target a wider variety of Macs, including those with the M1 chip, according to Trend Micro researchers.
XCSSET was uncovered in August 2020, when it was exploiting two zero-day vulnerabilities and injecting malicious code into Xcode projects built on users’ devices, Trend Micro reports. Xcode is Apple's integrated development environment for macOS.
In March, researchers at Kaspersky found that XCSSET could run on Macs with the new M1 chip. Further analysis by Trend Micro on the binary files downloaded from the command-and-control server found that nearly all of them contained both x86_x64 and ARM64 architectures.
"Besides adding support for the M1 chip, XCSSET malware has taken other actions to fit macOS 11 Big Sur as well," Trend Micro researchers note. "The malware's latest modules, such as the new icons.php module, introduces changes to the icons to fit their victim's OS."
Imitation apps for Big Sur are also created from malicious AppleScript files, researchers found. The icon files are downloaded from a command-and-control server, and then their info.plist files are modified so that the fake app's icon is disguised to appear like that of the legitimate app. Unsuspecting users download the malicious malware file that appears to be the legitimate app.
Circumventing Security Policies
Trend Micro researchers who analyzed the source code for the updated XCSSET malware found it can circumvent macOS 11's new security policies.
"The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps," the researchers note.
Unlike the previous version of XCSSET, the latest version now tries to steal confidential data from sites such as 163.com, Huobi, binance.com, nncall.net, Envato and login.live.com, TrendMcro says.
For cryptocurrency trading platform Huobi, the malware not only steals account information but also is able to replace the address in a user’s cryptocurrency wallet, the researchers note.
"It hosts Safari update packages in the C2 server, then downloads and installs packages for the user’s OS version. To adapt to the newly released Big Sur, new packages for Safari 14 were added. As we have observed in Safari remote.applescript, it downloads a corresponding Safari package according to the user’s current browser and OS versions," researchers note.