A Mac malware campaign has been targeting Xcode developers with XCSSET malware retooled to add support for Apple's M1 chips. The malware was first spotted in August last year and now has features to steal confidential information from cryptocurrency apps.
In March, Kaspersky researchers uncovered XCSSET samples targeting Apple M1 chips, suggesting that attackers adapted their executables and ported them to run on new Apple Silicon chips.
The malware hosts Safari update packages in the C2 server and then downloads and installs packages for the user's OS version. It is now updated with malicious packages supporting Safari 14.
It exploits the remote debugging mode in other browsers such as Opera, Chrome, Brave, Qihoo 360 Browser, Microsoft Edge, Yandex Browser, and Firefox to perform UXSS attacks.
Furthermore, it tries to steal account info from various websites, such as cryptocurrency trading platforms Binance, Envato, NNCall[.]net, 163[.]com, and Huobi with abilities to replace user's cryptocurrency wallet addresses.
In February, one of the variants of the Pirrit adware family was discovered to be targeting Apple M1 chips.
Infected Xcode projects pose a major security risk since the targeted developers who share their work on GitHub can end up spreading the malware to their users. Additionally, it could lead to a supply-chain attack for others who use these repositories as dependencies in their own projects.