In March, 2021, Sentinel Labs researchers became aware of a trojanized Xcode project targeting iOS developers. The project was a malicious version of a legitimate, open-source project available on GitHub, enabling iOS programmers to use several advanced features for animating the iOS Tab bar.
XCSSET Malware Equipped with New Dangerous Capabilities
Now, a similar campaign is once again targeting Xcode developers, this time equipped with Macs running Apple’s new M1 chips. The malware is also capable of stealing sensitive information from cryptocurrency applications.
Newer XCSSET variants are compiled for Apple M1 chips, Kaspersky research revealed last month. This is a clear sign that the malware operators are adapting their malware to fit the latest Apple technologies.
Other improvements include the malware’s capability to target the latest macOS versions:
The malware’s latest modules, such as the new icons.php module introduces changes to the icons to fit their victim’s OS. For example, a fake Finder’s icon for macOS versions 10.15 and lower has a downloaded icon file named Finder.icns with square corners, whereas macOS 11.1 has a downloaded icon file named FinderBigSur.icns and has an icon with rounded corners to mimic the ones used in Big Sur.
In other words, the malware can also create imitation apps for Big Sur, created from malicious AppleScript files, in which icon files are downloaded from a command-and-control server. The malware then modifies their info.plist files “so that the fake app’s icon is convincingly disguised as that of the legitimate app it’s trying to imitate,” Trend Micro says.
Since XCSSET spreads via tailored Xcode projects, developers are continuously at risk of infection by sharing their projects on GitHub and further infecting other unsuspecting developers. This could create the possibility of a supply-chain-like attack for developers using the infected repositories as dependencies in their projects.