The cybersecurity researchers have recently detected a malware campaign, and as per the experts, the campaign is using the Xcode development environment.
The campaign is now continuously targeting the new Apple M1 chips and enables data to be stolen from cryptocurrency wallet applications.
After a proper investigation, the analysts came to know that XCSSET malware is behind the campaign, furthermore, this is not the first time when experts detect such malware.
XCSSET malware was initially detected in August 2020, and from then it is continuously targetting software developers, for data stealing.
XCSSET generally repackaged all the payload modules that are presented as legitimate Mac apps, which would later end up affecting the local Xcode projects.
However, it mainly injects the primary payload so that it can easily execute while building a negotiated project.
bootstrap.applescript: This payload is also known as binary Pods, the security researchers affirmed that this payload contains the logic to call other malicious AppleScript modules.
replicator.applescript: The experts have studied this payload and declared that it is responsible for injecting all the local Xcode projects along with malicious code.
agent.php: This payload, has been hosting many of the codes that are used in handling requests to manage browsers, and it has been confirmed in an analysis that has been done by the experts.
Apple has been doing prominent changes to keep updating its device, that’s why it has released its operating system, Big Sur, and along with that a new Mac product that has equipped with ARM-based M1 processors.
However, rather than appending support for the M1 chip, the XCSSET malware has currently taken some other actions to implement macOS 11 Big Sur.
According to the Trend Micro report, the software with x86_64 architecture can still work on macOS 11, and along with the help of Rosetta 2, there has been an emulator which was built into Big Sur.
The browser used by the threat actors to carry out UXSS attacks are, mentioned below:-
After investigating the whole campaign the analysts have detected that all the binary files that were downloaded straight from the C&C server have already changed from Mach-O files.
The experts have pronounced that the C&C servers along with an x86_64 architecture to universal binary files including both x86_64 and ARM64 architectures contain three notable exceptions: “cat” and “Pods” are landing Mach-O binary files.
After a proper analysis, the researchers came to know that the Mach-O binary files were triggered by infected Xcode projects.
According to the distribution of XCSSET through a negotiated Xcode projects is a very big threat to the developers. Moreover, the developers who got affected have posted all their works on GitHub.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…