In March, 2021, Sentinel Labs researchers became aware of a trojanized Xcode project targeting iOS developers. The project was a malicious version of a legitimate, open-source project available on GitHub, enabling iOS programmers to use several advanced features for animating the iOS Tab bar.
XCSSET Malware Equipped with New Dangerous Capabilities
Now, a similar campaign is once again targeting Xcode developers, this time equipped with Macs running Apple’s new M1 chips. The malware is also capable of stealing sensitive information from cryptocurrency applications.
The XCSSET malware was first discovered in August, 2020, when it was spreading via altered Xcode IDE projects. The malware usually acts by repackaging payload modules to appear as legitimate Mac apps, which end up infecting local Xcode projects. The malware’s modules include credential stealing, screenshot capturing, injecting malicious JavaScript into websites, stealing app data, and in some cases, even ransomware capabilities.
Newer XCSSET variants are compiled for Apple M1 chips, Kaspersky research revealed last month. This is a clear sign that the malware operators are adapting their malware to fit the latest Apple technologies.
As for the latest malware variants, Trend Micro says that XCSSET continues to exploit Safari browser to infect websites with JavaScript backdoors in Universal Cross-site Scripting (UXSS) attacks. According to Trend Micro’s latest report:
[…] this malware leverages the development version of Safari to load malicious Safari frameworks and related JavaScript backdoors from its C&C server. It hosts Safari update packages in the C&C server, then downloads and installs packages for the user’s OS version. To adapt to the newly-released Big Sur, new packages for “Safari 14” were added.
Other improvements include the malware’s capability to target the latest macOS versions:
The malware’s latest modules, such as the new icons.php module introduces changes to the icons to fit their victim’s OS. For example, a fake Finder’s icon for macOS versions 10.15 and lower has a downloaded icon file named Finder.icns with square corners, whereas macOS 11.1 has a downloaded icon file named FinderBigSur.icns and has an icon with rounded corners to mimic the ones used in Big Sur.
In other words, the malware can also create imitation apps for Big Sur, created from malicious AppleScript files, in which icon files are downloaded from a command-and-control server. The malware then modifies their info.plist files “so that the fake app’s icon is convincingly disguised as that of the legitimate app it’s trying to imitate,” Trend Micro says.
Since XCSSET spreads via tailored Xcode projects, developers are continuously at risk of infection by sharing their projects on GitHub and further infecting other unsuspecting developers. This could create the possibility of a supply-chain-like attack for developers using the infected repositories as dependencies in their projects.