Introduction:
About a month ago the researchers unveiled a notorious malware family. It continued to exploit a never-before-seen drawback in the macOS security defenses. The malware was running unimpeded. Some researchers say that a new malware can sneak onto macOS systems because of another drawback. Jamf says it found evidence that the XCSSET exploits a vulnerability that allows it to excess certain parts of macOS. These parts are the ones that require permission like accessing the microphone or screen recording. And malware accessed these things without user permission.
About the malware history:
XCSSET was first found by Trend Micro in 2020 that targets Apple developers. It specifically targets their Xcode projects that use coding to build apps. It infects doors app development projects. This way the developers unknowingly send the malware to the users. Trend Micro researchers describe this as a “supply chain attack”.
The malware continues to develop while the recent variants target systems running the new M1 chip. As the malware bronze on the victim’s computer, it uses two zero-day days. First, it steals cookies from the Safari browser to access the user’s online accounts. This way the attackers can modify and sneak on virtually any website.
But Jamf says that the malware exploits a previously discovered third zero-day. On this day it starts taking screenshots of the victim’s screen. The Mac OS asks the user for permission before it allows any app to interact with the system. This includes recording the screen or using the microphone or webcam. The malware bypassed the permissions prompt by getting under the radar. It was injecting malicious code into the apps.
The contributing researchers:
Jamf researchers Jarod Bradley, Ferdous Saljooki, and Stuart Ashenbrennwr explain in a blog post. The malware looks for the apps on the victim’s computer that require screen sharing permissions. These apps include Zoom, WhatsApp, and Slack. The malware injects malicious screen recording code into these apps. This allows the code to piggyback the legitimate app and inherit its permissions. Then the malware signs the new app bundle with a fresh certificate to avoid getting a flag from macOS’ in-built security.
The researchers caution that it is not limited to only screen recording. The bug could be used to access the victim’s microphone webcam or capture their keystrokes. This way the passwords for credit card details can be stolen.
