Table of Contents
  • Home
  • /
  • Blog
  • /
  • How Are Threat Actors Abusing Apple’s TCC Protection Using XCSSET Malware Attacks?
June 7, 2021

How Are Threat Actors Abusing Apple’s TCC Protection Using XCSSET Malware Attacks?

How Are Threat Actors Abusing Apples Tcc Protection Using Xcsset Malware Attacks

Apple Releases Patches to Counter New Zero-day XCSSET Malware Attacks on macOS Apple has recently released security updates for macOS, tcOS, watchOS, iOS, and Safari web browser to fix several vulnerabilities, including an actively exploited zero-day vulnerability in macOS. This critical bug in macOS could be manipulated to take screenshots of someone’s system and take images of their activities without the person knowing it.

The company recognized that the XCSSET malware attacks were used to access the macOS privacy protection. Apple said that it knows that the security problems may have been actively manipulated. However, it neither provided attack details nor the threat actors’ information who may have exploited zero-day attacks.

According to Bleeping Computer, there are three cases when the tech giant Apple has experienced vulnerability issues. Two of these zero-day attacks, CVE-2021-30663, and CVE-2021-30665 affected the WebKit of Apple TV 4K and TV HD devices. However, the third zero-day attack, CV-2021-30713, impacted the macOS Big Sur devices, and there is a permission problem found in the TCC framework.

What Do We Know About XCSSET Malware Attacks?

In August 2020, Trend Micro revealed a new strain of XCSSET malware. It was developed and written in AppleScript, a scripting language developed by Apple. It provides control over the script-enabled Mac application. 

One of the most significant features of the XCSSET malware attack is that it leveraged two zero-days exploits. One is protected by the system integrity protection to steal the safari browser cookies, while the other one is used to omit prompts to install the safari application’s browser version. XCSSET malware attack is capable of the following actions.

  • It abuses the existing Safari and other browsers to steal user data using exploits.

  • It uses vulnerability to read and discard the Safari cookies.

  • It uses the development version of Safari to inject JavaScript code into websites using a Universal Cross-site Scripting attack.

  • It uploads files from the infected machines to the hacker’s specified server.

  • It encrypts files and displays a ransom note if the server commands.

  • It takes screenshots of the target’s current screen.

Who Is the Primary Target of XCSSET Malware Attacks?

The XCSSET malware attacks target the Mac developers by infecting Xcode projects to exploit two zero-day vulnerabilities for stealing sensitive information and launching ransomware attacks to targeted systems. XCSSET malware is now re-engineered and aimed at Apple’s latest M1 chips. Its new variant implements advanced features to steal data focused on cryptocurrency applications.

According to Trend Micro, the malware can steal information associated with the applications, including Evernote, Notes, Telegram, QQ, Skype, and WeChat applications. It can also launch Universal Cross-site Scripting attacks to inject malicious JavaScript code into the browser and change the user’s browser experience. XCSSET attack allows the malware to replace cryptocurrency addresses and steal the login credentials for online services. These include Apple ID, amoCRM, Paypal, Google, Yandex, and SIPMarket.

What Is TCC Protection?

The Transparency, Consent, and Control (TCC) framework is a macOS subsystem that blocks the installed applications from accessing the user’s sensitive information without asking permissions explicitly through a pop-up message. An example of active TCC is storing files in the documents directory, recording keystrokes, and capturing screenshots. When an application tries to perform such actions, a prompt is shown to the user asking whether to grant or deny permissions. 

In some cases, users are required to authorize permissions to the applications. Upon granting permissions, they are now free to act without asking the user until they manually disable it in the privacy settings. Attackers can exploit this vulnerability by using malicious applications to bypass user privacy preferences and access sensitive data. Jamf researchers found that macOS zero-day vulnerability was used by the XCSSET malware attack to avoid Apple’s TCC protections designed to protect the user’s privacy.

How Are Threat Actors Abusing Apple’s TCC Protection Using XCSSET Malware Attacks?

While Apple did not give details about the zero-day attacks, Jamf researchers found that the patched macOS zero-day, CV-2021-30713, was used by the threat actors to target the Bypass TCC protection developed to protect user privacy.

  1. The zero-day flaw allowed attackers to exploit the devices by taking the form of the AppleScript module.

  2. XCSSET malware is installed to use the permissions that have been granted to troganized applications and exfiltrate sensitive information. 

  3. They specifically use the malware checked for screen capturing permissions from applications, such as Discord, Zoom, WhatsApp, Upwork, TeamViewer, and Skype, injecting malware into the application’s folder.

  4. The attacker can dispose of that donor app while creating a malicious application to execute on the target devices by using an installed application with a proper permission set.

Vulnerabilities Targeted by XCSSET Malware Attacks

The XCSSET malware has been found in the Xcode projects leading to a tight spot of malicious payloads. Xcode is an integrated development environment (IDE) to develop Apple-related applications and software. Unusual infection in the developer’s project included the discovery of zero-day vulnerabilities. These Xcode projects have been modified. For example, on building, these projects run a malicious code that eventually leads to the XCSSET malware attack being run on the affected machine.

The second vulnerability is due to how Safari WebKit operates. Generally, launching a kit requires the user to submit a password. But a bypass was discovered that could be used to perform malicious tasks through the un-sandboxed Safari browser, which appears to perform hijacking.

  • CVE-2021-30663: An integer overflow issue in WebKit, that could lead to achieving arbitrary code execution when processing a maliciously crafted web content.

  • CVE-2021-30665: A memory corruption issue in WebKit, which could be exploited to arbitrary code execution when processing maliciously crafted web content.

The Indicators of Compromise (IoCs) Associated With XCSSET Malware Attacks

During research conducted by Jamf, they found multiple hashes that were unidentified by Virus Toral previously. Apple’s built-in malware detector, XProtect, already detected some of the hashes discovered by Jamf. However, additional hashes identified by the Jamf team as being the XCSSET malware found their way to Github that compromise the affected repositories. The affected executables have been noticed as having one of the five possible filenames in the Xcode project.Here is a list of command and control domains.

  • trendmicronano[.]com

  • adoberelations[.]com

  • findmymacs[.]com

  • statsmag[.]com

  • flixprice[.]com

  • adobestats[.]com

  • icloudserv[.]com

  • titiez[.]com

  • atecasec[.]com

  • statsmag[.]xyz

  • sidelink[.]xyz

  • monotel[.]xyz

  • mantrucks[.]xyz

  • nodeline[.]xyz

  • linebrand[.]xyz

Tips To Remove XCSSET Malware

It is advisable to use trustworthy and official download sources to get rid of XCSSET malware attacks. Here are some tips you can follow.

Update Patch

You can avoid the XCSSET malware attacks by updating the macOS. Malwarebytes doubts that Sierra 10.12.2 includes a patch to solve this issue because up-to-date systems are less vulnerable to these kinds of attacks.

Remove Unwanted Browser Extensions.

Remove malicious extensions from the Safari browser. Open the menu bar and select “Preferences” from the Safari browser. Then select “Extensions” from the preferences windows and find recently installed suspicious extensions. Click on the “Uninstall” to get rid of all XCSSET extensions or adware from the browser.

Remove Potentially Unwanted Applications.

Remove unwanted applications or your “Applications” folder. Look for suspicious applications and drag them to the trash. After removing unwanted apps that can cause malicious ads, scan your Mac for the remaining unwanted components.

Thanks for reading this post. Please visit our site to read more interesting things like this:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Cloud & OS Platforms

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription