Xcode Malware updated to target M1 Macs

In August 2020, an XCSSET malicious campaign was initially launched by Mac to attack Xcode developers, after it was found to propagate through updated Xcode IDE projects and was programmed to run payloads when it was created.


XCSSET has now been modified to support the latest M1 chips for Apple’s newest Mac’s and to extend its capabilities to rob proprietary information from cryptocurrency applications. Kaspersky scientists discovered XCSSET samples that were compiled for the recent Apple M1 chips and that the ransomware effort was not only underway, but opponents were still successfully adapting and carrying out new Silicon Macs.


The malware modules have the capability to intercept passwords, collect screenshots, maliciously inject JavaScript to websites, pillage user information from various applications and even encrypt files.


Trend Micro's recent research revealed that XCSSET continued to misuse the Safari development browser, which uses Universal Cross-Site Scripting (UXSS) assassins to install JavaScript backdoors on websites.


Furthermore, the ransomware also manages to capture account details from other websites, like the Huobi, Binance, NNCall.net, Envato and 163.com cryptocurrency exchange networks, such that the intruder may change the address in their consumer cryptocurrency wallet.


The mode of delivery of XCSSET over doctored Xcode projects presents a significant danger, as a result of the "supply chain-style attacks on users who rely upon the repositories as dependence in their own projects" by developers who share their work with GitHub unintentionally, malware could be passed on to their users via vulnerability Xcode programs.