Monday, September 9, 2024
HomemacOSMac Malware That Spreads via Xcode Projects Adapts to macOS 11 &...

Mac Malware That Spreads via Xcode Projects Adapts to macOS 11 & M1-based Macs

Published on

The cybersecurity researchers have recently detected a malware campaign, and as per the experts, the campaign is using the Xcode development environment.

The campaign is now continuously targeting the new Apple M1 chips and enables data to be stolen from cryptocurrency wallet applications.

After a proper investigation, the analysts came to know that XCSSET malware is behind the campaign, furthermore, this is not the first time when experts detect such malware.

- Advertisement - EHA

XCSSET malware was initially detected in August 2020, and from then it is continuously targetting software developers, for data stealing.

XCSSET generally repackaged all the payload modules that are presented as legitimate Mac apps, which would later end up affecting the local Xcode projects.

However, it mainly injects the primary payload so that it can easily execute while building a negotiated project.

C&C domains

  • Titian[.]com
  • Findmymacs[.]com
  • Statsmag[.]com
  • Statsmag[.]xyz
  • Adoberelations[.]com
  • Trendmicronano[.]com

Payloads of XCSSET

bootstrap.applescript: This payload is also known as binary Pods, the security researchers affirmed that this payload contains the logic to call other malicious AppleScript modules.

replicator.applescript: The experts have studied this payload and declared that it is responsible for injecting all the local Xcode projects along with malicious code.

agent.php: This payload, has been hosting many of the codes that are used in handling requests to manage browsers, and it has been confirmed in an analysis that has been done by the experts.

Prominent changes for macOS 11 Big Sur

Apple has been doing prominent changes to keep updating its device, that’s why it has released its operating system, Big Sur, and along with that a new Mac product that has equipped with ARM-based M1 processors. 

However, rather than appending support for the M1 chip, the XCSSET malware has currently taken some other actions to implement macOS 11 Big Sur.

According to the Trend Micro report, the software with x86_64 architecture can still work on macOS 11, and along with the help of Rosetta 2, there has been an emulator which was built into Big Sur.

Browsers used to carry out UXSS attacks

The browser used by the threat actors to carry out UXSS attacks are, mentioned below:-

  • Microsoft Edge
  • Google Chrome
  • Brave
  • Opera
  • Mozilla Firefox
  • Yandex Browser
  • Qihoo 360 Browser

New Findings on the Landing Mach-O File

After investigating the whole campaign the analysts have detected that all the binary files that were downloaded straight from the C&C server have already changed from Mach-O files.

The experts have pronounced that the C&C servers along with an x86_64 architecture to universal binary files including both x86_64 and ARM64 architectures contain three notable exceptions: “cat” and “Pods” are landing Mach-O binary files.

After a proper analysis, the researchers came to know that the Mach-O binary files were triggered by infected Xcode projects.

According to the distribution of XCSSET through a negotiated Xcode projects is a very big threat to the developers. Moreover, the developers who got affected have posted all their works on GitHub.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Apple Tightens macOS Gatekeeper Controls in macOS Sequoia

Apple has announced changes to its macOS Gatekeeper security feature with the release of...

Malicious Python Package Attacking macOS Developers To Steal Google Cloud Logins

Hackers continuously exploit malicious Python packages to attack developer environments and inject harmful code...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...