XCSSET: New Mac malware infects Xcode projects

Security researchers have discovered an interesting new variety of macOS malware that spreads by attacking Xcode projects. It’s called XCSSET, and in this article, we’ll tell you what you need to know about this unusual threat in order to stay safe.

What is XCSSET?

XCSSET is a suite of malicious components that spreads through infected Xcode projects.

Xcode is a tool used by app developers to write software for Apple platforms. An Xcode “project” simply refers to the repository of files, information, and resources that are used to build an app for deployment.

If an Xcode project has been infected with XCSSET, and is used to assemble an app for distribution, the malicious code — unbeknownst to the developer and their end users — will be included in the official version of the app! When the app is run, the malicious code will execute.

In addition, because developers often share their Xcode projects with one another through public code repositories such as GitHub, an unsuspecting developer may inadvertently incorporate an infected Xcode project into their own app, thereby helping XCSSET to spread even more widely.

How does XCSSET work?

There’s one big unknown surrounding XCSSET: At the moment, no one is quite sure how it infects Xcode projects in the first place! But that rather significant mystery aside, we do know a good deal about how it works.

Once an infected app is run, XCSSET’s malicious code contacts a command-and-control (C&C) server operated by the bad guys. The malware downloads its main malicious payload from the server, and then the real attack begins.

XCSSET first sends basic system information back to the C&C server, and kills a number of web browser-related processes. It then uses macOS’s osacompile command to build fake versions of well-known apps like Safari. It uses a few other tricks to make the fake apps appear genuine, in the hopes that the user will launch them so they can perform malicious actions. The malware also leverages a couple of 0-day vulnerabilities to expand its capabilities. The end result is a feature-rich suite of malicious tools that can be controlled remotely by the attackers.

How does XCSSET affect Mac users?

XCSSET is a powerful piece of malware that has the potential to wreak havoc on an infected Mac. Here is an overview of its major capabilities:

Data theft and Surveillance

XCSSET uses one of its 0-day exploits (having to do with the macOS data protection mechanism known as Data Vaults) to read and steal Safari cookies. A second 0-day (related to a flaw in Safari for WebKit Development) can be leveraged to steal the user’s Apple ID, Google, and PayPal credentials, as well as credentials for several other services. The same exploit also allows the malware to abscond with user credit card data associated with the Apple Store.

In addition, XCSSET contains modules capable of exfiltrating user data from popular note-taking apps like Evernote and Notes, as well as messaging apps like 

Skype, Telegram, WeChat, and QQ. It can also take screenshots of the user’s system and of certain websites.

Code injection

Using the aforementioned Safari for WebKit Development 0-day, XCSSET is able to inject JavaScript code into the user’s current Safari page, changing the appearance of the webpage. This capability can be used to swap out cryptocurrency addresses, steal newly modified credentials, and otherwise manipulate the content of a webpage to the attackers’ specifications. 

The technical brief provided by the security researchers who discovered XCSSET says that the malware can perform code injection on other major browsers as well.

Ransomware

In addition to the above capabilities, this malware also appears to contain ransomware modules that allow it to encrypt files on an infected system and display a ransom note, if it receives a command to do so from its C&C server. While still relatively uncommon on macOS, ransomware is a growing threat to the platform, as evidenced by XCSSET and other recently discovered malware.

How can I stay safe?

So far, XCSSET has only been found in a few places online. But given the aforementioned possibility of propagation through GitHub repositories, and the malware’s powerful set of features, this threat is nothing to take lightly.

The best way to protect yourself is to only download apps from two places: the Mac App Store, and the official websites of reputable, well-established developers who you know and trust. Apple will be able to scan new apps submitted to the App Store for malicious code; and seasoned, security-conscious developers will already be aware of this issue and will be checking and rechecking their own Xcode projects for any signs of trouble.

In addition, you should use a reliable, regularly updated anti-malware tool that can detect and stop XCSSET. MacScan 3 has already been updated with definitions for XCSSET, and is available as a 30-day free trial if you’d like to scan your system for peace of mind.