What Mac Users Should Know About New XCSSET Malware
If you are a Mac developer or want to try out new applications by creating Xcode projects, you need to be aware of a serious type of malware: XCSSET.
Cybersecurity company Trend Micro has published a report detailing how attackers can use XCSSET to hijack a user’s browser and steal their identity, account passwords, and stored payment information. But it’s not just the potential severity of the attack that makes this malware so serious; it is also a new way to penetrate the user’s device.
XCSSET is installed via a Trojan that hides itself in Xcode projects. For those who don’t know, Xcode is a free development tool used to build Apple apps on the Mac, and Xcode projects are turned into apps that you run on your devices using a process called “building”.
When a developer creates an application from an infected Xcode project, the Trojan invisibly launches malicious code that installs XCSSET on the developer’s system. Trends Micro says it is unclear where these modified projects come from, but developers may inadvertently distribute XCSSET by sharing Xcode projects without realizing that they are infected.
Despite the immediate threat to developers, ordinary users are also at risk. Many open source Mac apps are distributed as compiled Xcode projects that users can download and build themselves – and as soon as the trojan runs, it’s game over, buddy .
How bad is XCSSET?
According to a report from Trend Micro, here’s what XCSSET does after installation:
- Exploits a vulnerability to read and reset Safari cookies
- Uses the Safari development version to inject JavaScript backdoors into websites using a Universal Cross Site Scripting (UXSS) attack.
- It steals information from the user’s Evernote, Notes, Skype, Telegram, QQ and WeChat apps.
- Takes screenshots of the user’s current screen
- It downloads files from infected machines to a server specified by the attacker.
- It encrypts files and displays a ransom note at the command of the server.
Trend Micro also states that a “UXSS” malware attack is theoretically capable of hijacking a user’s web browser in a variety of ways, including:
- Change the displayed websites
- Change / replacement of Bitcoin / cryptocurrency addresses
- Stealing credentials of amoCRM, Apple ID, Google, Paypal, SIPMarket and Yandex.
- Stealing credit card information from Apple Store
- Blocking a user from changing passwords, but also stealing recently changed passwords
- Capture screenshots of specific sites you visit
How to avoid XCSSET malware for Mac
XCSSET malware is intimidating – and damn clever – but common users can be avoided in most cases. Only download apps from official app stores and other trusted sources, and use comprehensive anti-malware software. Yes, even on your Mac .
Developers need to be careful about how and where they share and access Xcode projects. However, since it is difficult to detect modified project files and no one knows exactly where the trojan came from, it is possible that even legitimate and reliable sources could be compromised. However, you should stick to these trusted sources. For those interested, the Trend Micro report includes a brief white paper explaining how XCSSET works , which can help keep your projects secure.