Malware, Vulnerability Management

Malware used zero-day exploit to take screenshots of victims’ Macs


Apple patched a vulnerability that was actively exploited by malware actors to bypass the Transparency Consent and Control (TCC) framework, allowing them to take screenshots of infected victims’ computer desktops without having to even trick them into granting permissions first.

TCC bypasses are serious business. Because the TCC system controls which resources and tools that various applications can gain access to, this particular bypass could have allowed the adversaries to engage in a variety of malicious behaviors beyond just screenshots, according to researchers from Jamf who discovered the flaw.

“Some of our tests showed that the same exploit could be used to bypass prompts that are supposed to display when an application accesses the microphone and webcam, as well as applications that are supposed to display prompts when attempting to access a user’s personal files and folders,” said Jaron Bradley, manager, MacOS detections, in an email interview with SC Media.

"This means that, for example, an actor could create ransomware taking advantage of this bypass and encrypt protected system files and folders without user knowledge," added Erika Noerenberg, senior threat intelligence analyst at Malwarebytes. "This potential and the wide range of access it permits makes this bypass alarming."

Leveraged by a malware program known as XCSSET, the zero-day exploit in question could even allow an attacker to gain Full Disk Access, a Jamf blog post warned this week.

"The malicious software only needs to run the privileged command from within an app that already has those permissions granted in order to inherit them and gain the functionality, e.g., Zoom," Noerenberg continued. "Aside from the access mentioned already, there are many other services and properties that fall under the purview of TCC. Malware could use this bypass to access a user's contacts, calendar, photos or even log keystrokes without [an] alert."

Fortunately, it appears the malware attackers limited use of the exploit to just screenshots, although "new findings are always possible,” said Bradley.

Apple on Monday released an update for MacOS Big Sur that included a patch for the TCC vulnerability, which has been designated CVE-2021-30713. “A malicious application may be able to bypass Privacy preferences,” reads an Apple support webpage, which notes that the issue was addressed through improved validation. “Apple is aware of a report that this issue may have been actively exploited,” the page also notes.

SC Media reached out to Apple for further comment. An Apple spokesperson noted that this issue affected only those users who downloaded malware that had not been blocked. The spokesperson also noted that for software downloaded outside the Mac App Store, the company offers features such as the Apple notary service and XProtect that detect known malware and block it. This reported issue did not compromise those protections.

Jamf’s discovery is the latest example of how non-Windows operating systems are increasingly being targeted and why MacOS users must not get complacent, falsely believing they are safe from or immune to malware threats.

“Attackers are actively researching and abusing vulnerabilities found on macOS,” said Bradley. “Many believe zero days being used on macOS is not something worth worrying about, but this is the second case of malware using zero days that we’ve discovered in the past two months.”

For that matter, the creators of XCSSET have clearly shown an inclination to leverage zero-day exploits as part of their campaigns. The malware, which can deliver multiple payloads, was already known to leverage an exploit that’s capable of stealing cookies via a Data Vaults flaw and another that abuses the development version of Safari.

XCSSET first came to light last August after researchers at Trend Micro found that malicious actors were injecting the malware into Xcode development projects found on GitHub. Developers who borrowed then Xcode from these tainted would then be infected in a supply chain attack.

“The method of distribution used can only be described as clever. Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files,” a Trend Micro bog post noted at the time.

According to Bradley, Xcode remains the distribution method of choice for the attackers, though Trend Micro noted that some CocoaPods projects have also been injected.

Indeed, the XCSSET attackers' motives and behaviors haven't changed much since last summer, Trend Micro acknowledged to SC Media. The company said such tactics include repackaging payload modules "to masquerade as well-known Mac apps;" exploiting popular browsers "to exfiltrate data and [injecting a] malicious JS payload to steal credentials to famous websites; and setting up remote SSH to remotely access a victim's machine.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.