Malware Injected Into Xcode Projects Could Infiltrate Mac App Store
Last week, we reported on a severe new kind of Mac malware that has been found to infect via Xcode, discovered by security researchers at Trend Micro.
In an exclusive interview with #MacRumors, the security researchers behind the discovery, Oleksandr Shatkivskyi and Vlad Felenuik, have provided more information about their research.
The malware, which is part of the XCSSET family, is "an unusual infection" that is injected into Xcode projects. When the project is built, the malicious code is run. This can lead to "a rabbit hole of malicious payloads," and poses a significant risk to Mac users.
Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in JavaScript, and in turn modify displayed websites, steal private banking information and passwords, and block password changes. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.
Shatkivskyi and Felenuik told MacRumors that they believe the XCSSET malware will become extremely common among bad actors who seek to exploit Mac systems. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection. It was found to be present in projects shared on GitHub. This means that developers who rely on repositories could face a supply-chain attack and be unaware that their project has become infected.
Xcode projects infected with the malware can create maliciously modified applications, unbeknownst to the developers who make the apps, and may then distribute them as trojans. Shatkivskyi and Felenuik believe that the Mac App Store review team will be largely unable to detect apps that contain the XCSSET malware. "As an #iOS developer I know how easy it is to fool them and release an app with hidden features," Shatkivskyi said.
Shatkivskyi and Felenuik first approached Apple about the issue as early as December 2019, and they hope that Apple will be decisive and swift in its response to resolving the vulnerability. They suggest that Apple could implement privacy notifications, the likes of which came to iOS 14 and iPadOS 14, to alert Mac users when the malware is active on their systems, in an effort to explicitly alert users to a potential breach.
👀 👉🏼 https://www.macrumors.com/2020/08/24/xcode-malware-infiltrate-app-store/
#XCSSET #xcode #malware #apple #appstore
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Last week, we reported on a severe new kind of Mac malware that has been found to infect via Xcode, discovered by security researchers at Trend Micro.
In an exclusive interview with #MacRumors, the security researchers behind the discovery, Oleksandr Shatkivskyi and Vlad Felenuik, have provided more information about their research.
The malware, which is part of the XCSSET family, is "an unusual infection" that is injected into Xcode projects. When the project is built, the malicious code is run. This can lead to "a rabbit hole of malicious payloads," and poses a significant risk to Mac users.
Specifically, the malware was found to be capable of abusing Safari and other browsers to steal data. It can use a vulnerability to read and dump cookies, create backdoors in JavaScript, and in turn modify displayed websites, steal private banking information and passwords, and block password changes. It was also found to be able to steal information from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, take screenshots, upload files to the attacker's specified server, encrypt files, and display a ransom note.
Shatkivskyi and Felenuik told MacRumors that they believe the XCSSET malware will become extremely common among bad actors who seek to exploit Mac systems. The malware is particularly dangerous because verification methods, such as checking hashes, would not identify infection. It was found to be present in projects shared on GitHub. This means that developers who rely on repositories could face a supply-chain attack and be unaware that their project has become infected.
Xcode projects infected with the malware can create maliciously modified applications, unbeknownst to the developers who make the apps, and may then distribute them as trojans. Shatkivskyi and Felenuik believe that the Mac App Store review team will be largely unable to detect apps that contain the XCSSET malware. "As an #iOS developer I know how easy it is to fool them and release an app with hidden features," Shatkivskyi said.
Shatkivskyi and Felenuik first approached Apple about the issue as early as December 2019, and they hope that Apple will be decisive and swift in its response to resolving the vulnerability. They suggest that Apple could implement privacy notifications, the likes of which came to iOS 14 and iPadOS 14, to alert Mac users when the malware is active on their systems, in an effort to explicitly alert users to a potential breach.
👀 👉🏼 https://www.macrumors.com/2020/08/24/xcode-malware-infiltrate-app-store/
#XCSSET #xcode #malware #apple #appstore
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
MacRumors
Malware Injected Into Xcode Projects Could Infiltrate Mac App Store
Last week, we reported on a severe new kind of Mac malware that has been found to infect via Xcode, discovered by security researchers at Trend...
Malware Spreads Via Xcode Projects Now Targeting Apple's M1-based Macs
A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps.
XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. The malware repackages payload modules to imitate legitimate Mac apps, which are ultimately responsible for infecting local Xcode projects and injecting the main payload to execute when the compromised project builds.
XCSSET modules come with the capabilities to steal credentials, capture screenshots, inject malicious JavaScript into websites, plunder user data from different apps, and even encrypt files for a ransom.
Then in March 2021, Kaspersky researchers uncovered XCSSET samples compiled for the new Apple M1 chips, suggesting that the malware campaign was not only ongoing but also that adversaries are actively adapting their executables and porting them to run on new Apple Silicon Macs natively.
https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.html
#malware #xcode #apple #macs
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag
A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps.
XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. The malware repackages payload modules to imitate legitimate Mac apps, which are ultimately responsible for infecting local Xcode projects and injecting the main payload to execute when the compromised project builds.
XCSSET modules come with the capabilities to steal credentials, capture screenshots, inject malicious JavaScript into websites, plunder user data from different apps, and even encrypt files for a ransom.
Then in March 2021, Kaspersky researchers uncovered XCSSET samples compiled for the new Apple M1 chips, suggesting that the malware campaign was not only ongoing but also that adversaries are actively adapting their executables and porting them to run on new Apple Silicon Macs natively.
https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.html
#malware #xcode #apple #macs
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag