The cybersecurity researchers have recently detected a malware campaign, and as per the experts, the campaign is using the Xcode development environment.
The campaign is now continuously targeting the new Apple M1 chips and enables data to be stolen from cryptocurrency wallet applications.
After a proper investigation, the analysts came to know that XCSSET malware is behind the campaign, furthermore, this is not the first time when experts detect such malware.
XCSSET malware was initially detected in August 2020, and from then it is continuously targetting software developers, for data stealing.
XCSSET generally repackaged all the payload modules that are presented as legitimate Mac apps, which would later end up affecting the local Xcode projects.
However, it mainly injects the primary payload so that it can easily execute while building a negotiated project.
Payloads of XCSSET
bootstrap.applescript: This payload is also known as binary Pods, the security researchers affirmed that this payload contains the logic to call other malicious AppleScript modules.
replicator.applescript: The experts have studied this payload and declared that it is responsible for injecting all the local Xcode projects along with malicious code.
agent.php: This payload, has been hosting many of the codes that are used in handling requests to manage browsers, and it has been confirmed in an analysis that has been done by the experts.
Prominent changes for macOS 11 Big Sur
Apple has been doing prominent changes to keep updating its device, that’s why it has released its operating system, Big Sur, and along with that a new Mac product that has equipped with ARM-based M1 processors.
However, rather than appending support for the M1 chip, the XCSSET malware has currently taken some other actions to implement macOS 11 Big Sur.
According to the Trend Micro report, the software with x86_64 architecture can still work on macOS 11, and along with the help of Rosetta 2, there has been an emulator which was built into Big Sur.
Browsers used to carry out UXSS attacks
The browser used by the threat actors to carry out UXSS attacks are, mentioned below:-
- Microsoft Edge
- Google Chrome
- Mozilla Firefox
- Yandex Browser
- Qihoo 360 Browser
New Findings on the Landing Mach-O File
After investigating the whole campaign the analysts have detected that all the binary files that were downloaded straight from the C&C server have already changed from Mach-O files.
The experts have pronounced that the C&C servers along with an x86_64 architecture to universal binary files including both x86_64 and ARM64 architectures contain three notable exceptions: “cat” and “Pods” are landing Mach-O binary files.
After a proper analysis, the researchers came to know that the Mach-O binary files were triggered by infected Xcode projects.
According to the distribution of XCSSET through a negotiated Xcode projects is a very big threat to the developers. Moreover, the developers who got affected have posted all their works on GitHub.