New MacOS Malware Infects Users Through Xcode

How does it work?

• Upon infection, the malware can hijack the Safari Browser and inject various Javascript payloads, that are capable of stealing credentials, financial data, personal information, as well as deploy second-stage malware.
• The second stage malware, an AppleScript file called main.scpt, can harvest system information, kill some running processes, steal user credentials from Google, Yandex, Amocrm, SIPmarket, PayPal, and Apple ID, as well as steal credit-card data linked in the Apple Store.
• It can also manipulate the browser results, replace cryptocurrency wallet addresses with their own, and replace a Chrome download link with a link to an older version.

Delivery mechanisms

• Attackers were found propagating the malware via Xcode developer projects hosted on GitHub. Attackers had injected malicious code into two of the projects so that any apps built using these projects would be automatically infected with malicious code.
• The malware also uses two zero-day vulnerabilities to propagate further. One vulnerability lies in Data Vault that allows the attackers to bypass the System Integrity Protection (SIP) feature in macOS. Another vulnerability is related to Safari for WebKit Development, which allows the attackers to inject JavaScript code into the development of Safari and other browsers.

Other malware targeting Mac users

• In early July, a new feature-rich malware dubbed Ensiko was detected, that could lock files on Windows, macOS, and Linux web servers running PHP.
• In mid-July, a multi-platform malware framework called “MATA” was discovered targeting Windows, macOS, and Linux platforms, which was linked to the Lazarus APT group.
• Some new and quickly evolving variants of ThiefQuest malware were seen targeting Mac users between June 29 and July 3, with more than 30,000 samples submitted to VirusTotal.

Closing statement