Apple OS developer supply chain threatened by ‘clever’ malware attack


In an attack described as a “clever” supply-chain threat, XCSSET malware is being injected undetected into programs created by unwitting Xcode Apple developers who share their projects on the GitHub repository.

The “unusual infection” can pilfer infected users’ credentials, accounts and other vital data, according to a blog post from researchers at Trend Micro who discovered the threat.

“It is not yet clear how the threat initially enters these systems,” Trend Micro said of the malware, which appears to inject JavaScript backdoors onto websites via a Universal Cross-site Scripting (UXSS) attack that involves two zero-day exploits. One exploit reads and dumps cookies while another abuses the development version of the Safari browser.

Once present on an affected system, XCSSET can be spread to developers using Apple’s suite of tools for macOS, iOS, iPadOS, watchOS and tvOS, delivering “a rabbit hole of malicious payloads.” According to Trend Micro, XCSSET is capable of stealing data not only from Safari but other installed browsers, as well as the user’s Evernote, Notes, Skype, Telegram, QQ and WeChat apps.

The malware is capable of: taking screenshots of the user’s current screen; uploading files from the affected machines to the attacker’s specified server; and encrypting files and then show a ransom note if commanded by the server.

“The UXSS attack is theoretically capable of modifying almost every part of the user’s browser experience as arbitrary JavaScript-injected code,” Trend Micro said.

Capabilities include:

  • Modifying displayed websites
  • Modifying /replacing Bitcoin/cryptocurrency addresses
  • Stealing amoCRM, Apple ID, Google, Paypal, SIPMarket, and Yandex credentials
  • Stealing credit card information from the Apple Store
  • Blocking the user from changing passwords but also stealing newly modified passwords
  • Capturing screenshots of certain accessed sites

Trend Micro has provided an accompanying technical brief with full details of the attack.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.