In an attack described as a “clever” supply-chain threat, XCSSET malware is being injected undetected into programs created by unwitting Xcode Apple developers who share their projects on the GitHub repository.
The “unusual infection” can pilfer infected users’ credentials, accounts and other vital data, according to a blog post from researchers at Trend Micro who discovered the threat.
Once present on an affected system, XCSSET can be spread to developers using Apple’s suite of tools for macOS, iOS, iPadOS, watchOS and tvOS, delivering “a rabbit hole of malicious payloads.” According to Trend Micro, XCSSET is capable of stealing data not only from Safari but other installed browsers, as well as the user’s Evernote, Notes, Skype, Telegram, QQ and WeChat apps.
The malware is capable of: taking screenshots of the user’s current screen; uploading files from the affected machines to the attacker’s specified server; and encrypting files and then show a ransom note if commanded by the server.
- Modifying displayed websites
- Modifying /replacing Bitcoin/cryptocurrency addresses
- Stealing amoCRM, Apple ID, Google, Paypal, SIPMarket, and Yandex credentials
- Stealing credit card information from the Apple Store
- Blocking the user from changing passwords but also stealing newly modified passwords
- Capturing screenshots of certain accessed sites
Trend Micro has provided an accompanying technical brief with full details of the attack.