XCSSET Mac spyware spreads via Xcode Projects

Pierluigi Paganini August 15, 2020

A new Mac malware, tracked as XCSSET, spreads through Xcode projects and exploits two zero-day vulnerabilities, experts warn.

XCSSET is a new Mac malware that spreads through Xcode projects and exploits two zero-day vulnerabilities to steal sensitive information from target systems and launch ransomware attacks.

The first zero-day issue is used to steal cookies via a flaw in the behavior of Data Vaults, while the second one is used to abuse the development version of Safari.

According to Trend Micro, the threat allows to steal data associated with popular applications, including Evernote, Skype, Notes, QQ, WeChat, and Telegram. The malware also allows attackers to capture screenshots and exfiltrate stolen documents to the attackers’ server.

The malware also implements ransomware behavior, it is able to encrypt files and display a ransom note.

Experts observed that the threat is injected into local Xcode projects so that when the project is built, the malware is executed. Xcode developers are at risk.


Trend Micro has identified affected developers who shared their projects on GitHub, potentially resulting in a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects.

“This threat primarily spreads via Xcode projects and maliciously modified applications created from the malware. It is not yet clear how the threat initially enters these systems. Presumably, these systems would be primarily used by developers. These Xcode projects have been modified such that upon building, these projects would run a malicious code.” reads the analysis published by Trend Micro. “This eventually leads to the main XCSSET malware being dropped and run on the affected system. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.”

The malware is also able to launch universal cross-site scripting (UXSS) attacks in an effort to inject JavaScript code into the browser while visiting specific websites and changing user’s browser experience. This behavior allows the malicious code to replace cryptocurrency addresses, and steal credentials for online services (amoCRM, Apple ID, Google, Paypal, SIPMarket, and Yandex) and payment card information from the Apple Store.

Trend Micro discovered two Xcode projects injected with the XCSSET Mac Malware, one on July 13 and one on July 31.

The analysis of the C&C server revealed a list of 380 victim IP addresses, most of them in China (152) and India (103). However.

“With the OS X development landscape rapidly growing and improving – as proven by news on the latest Big Sur update, for instance – it’s no surprise that malware actors now also leverage both aspiring and seasoned developers alike for their own benefit. Project owners should continue to triple-check the integrity of their projects in order to definitely nip unwarranted problems such as a malware infection in the future.” concludes the report.

Technical details about the threat, including Indicators of Compromise, are included in the report published by the experts.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, XCSSET)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment