Malicious XCSSET malware:
Security researchers at software organization Jamf have claimed to have discovered evidence of the XCSSET malware exploiting a vulnerability in the macOS that facilitated it with access to parts of the OS that need user permissions.
These include permissions such as the webcams, microphone, or even screen recording.
Back in 2020, the XCSSET malware was initially discovered by security researchers at Trend Micro.
At that time, it was found to be targeting Apple’s Xcode Projects which are used to architect applications.
It was especially concerning since targeting the Xcode projects meant that the developers were themselves delivering malware to Apple users.
Reportedly, the malware has been under continuous development, with more recent variants also targeting Macs running Apple’s latest M1 chips as well.
As the malicious XCSSET malware enters a vulnerable system, it employs two zero-days which are used then exploited to steal cookies from the Safari browser and the other one, to install a development version of Safari.
This will subsequently allow the malicious entities to modify and pry on any website.
Mal-operations of the malware:
However, in the latest findings, Jamf has noted that XCSSET malware also exploits a previously undetected third zero-day that can take screenshots of the screen, unbeknownst to the victim.
It then injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” these apps and access their permissions across macOS.
To avoid getting flagged by the internal security protocols of macOS, XCSSET signs the new app bundle with a new certificate.
Even though the malware has been architectured to bypass recording permissions to specifically get system screenshots, its features may not be limited to screen recording.
It is vital to note that getting access to a user’s microphone or webcam, proves to be equally dangerous.
This can lead to not only a severe privacy breach but can also be used to steal a victim’s sensitive data like passwords or financial details.