Friday, January 15, 17:07
Home security Malicious Mac software spreads through Xcode projects

Malicious Mac software spreads through Xcode projects

Xcode projects are used to spread a form of Mac malware that specializes in infringing on Safari and other browsers.

The XCSSET family of malware has been found in Xcode projects, "leading to a malicious payload hole," Trend Micro said on Thursday.

In a document (.PDF) exploring the wave of attacks, cybersecurity researchers said that an "unusual" infection in a developer project also involved the discovery of two zero-day vulnerabilities.


Xcode is a free integrated development environment (IDE) used in macOS for software development and applications related to Apple.

Although it is not yet clear how XCSSET is "directed" to Xcode projects, Trend Micro says that once integrated, the malware runs when a project is created.

"Obviously, these systems will be used mainly by developers", The team noted. "These Xcode projects have been modified to execute malicious code. This eventually leads to εισαγωγή and running the main XCSSET malware on the affected system. "

Some affected developers have shared their projects on GitHub, which the researchers say could lead to "supply chain-type attacks on users who rely on these repositories as dependencies on their own projects."

Once on a vulnerable system, XCSSET boosts browsers, including the Safari version, using vulnerabilities to steal user data.

In the case of Safari, the first of the two errors is a flaw in the Data Vault. A bypass method was found that bypasses the macOS protection which applies to Safari cookie files via SSHD.

The second vulnerability is due to the way Safari WebKit works. Normally, starting the kit requires the user to submit their password, but a bypass has been found that can be used to perform malicious actions through the Safari browser which does not have a sandbox. It also seems possible to perform Dylib hijacking.

Security issues allow Safari cookies to be read and discarded, and these data packets are then used to inject JavaScript-based backdoors into displayed pages through a Universal Cross-site Scripting (UXSS) attack.

Trend Micro believes that the UXSS element of the attack chain could be used not only to steal general user information, but also as a means of modifying browser logins to display malicious websites, change encryption wallet addresses, collect Apple Store credit card information, and more. stealing credentials from sources like Apple ID, Google, Paypal and Yandex.

Malware can also steal a variety of other user data, such as Evernote content and communication from applications Skype, Telegram, QQ and WeChat.

In addition, XCSSET can capture screenshots, process data and send stolen files to a command and control server (C2), and also contains an ransomware unit for file encryption and extortion.

Only two Xcode projects were found to host the malware, along with 380 IP victims - most of which are located in China and India - but the carrier of the infection is still important.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...

Facebook: Sues Chrome extensions developers for data theft

Facebook has filed a lawsuit against two Portuguese nationals for developing Chrome extensions that collected data from Facebook users.

Cisco does not fix 74 bugs in RV routers that have reached their EOL

Cisco said yesterday that it will not release firmware updates to fix 74 vulnerabilities that have been reported in ...

Hacker commits new crimes while waiting for his release!

A Kosovo hacker was pardoned after his conviction. The hacker provided personally identifiable information over 1.000 ...

Nintendo rules out Game & Watch video hacking

Two copyright claims against a YouTuber have been filed by Nintendo, for a video showing hacking of Super Mario ...