Almost exactly a month ago, researchers found that a notorious family of malware was exploiting an unprecedented vulnerability that allowed it to bypass macOS security defenses and run unhindered. Some of the same researchers are now saying that another piece of malware can sneak into macOS systems thanks to a different vulnerability.
According to Jamf, evidence has been found that the XCSSET malware is exploiting a vulnerability that allows access to parts of macOS that require approval, such as: B. Access the microphone, webcam, or record the screen without ever getting consent.
XCSSET was first discovered by Trend Micro for Apple developers in 2020, especially for their Xcode projects, which they use to code and build apps. By infecting these app development projects, developers inadvertently distribute the malware to their users. This is what Trend Micro researchers call a “supply chain-like attack”. The malware is constantly evolving. Newer variants of the malware also target Macs running the newer M1 chip.
Once the malware runs on a victim’s computer, two zero-days are used – one to steal cookies from the Safari browser to gain access to a victim’s online accounts, and another to run a development version of Safari Install quietly so the attacker can make changes and snoop on virtually any website.
However, according to Jamf, the malware took advantage of a previously undiscovered third zero day to secretly take screenshots of the victim’s screen.
macOS is designed to ask the user’s permission before a malicious or other app can record the screen, access the microphone or webcam, or open the user’s memory. However, the malware bypassed this permission by sneaking under the radar by injecting malicious code into legitimate apps.
Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post shared with Biomedarticles that the malware is looking for other apps on the victim’s computer that are often given screen-sharing permissions like Zoom, WhatsApp, and Slack, as well as injecting malicious screen-recording code in these apps. In this way, the malicious code can “piggyback” the legitimate app and inherit its permissions under macOS. The malware then signs the new app bundle with a new certificate to avoid displaying the built-in security precautions of macOS.
The researchers said the malware used the permission prompt bypass “specifically to take screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam, or capture their keystrokes such as passwords or credit card numbers.
It is not clear how many Macs the malware was able to infect using this technique. However, Apple confirmed to Biomedarticles that it fixed the bug in macOS 11.4 that was made available as an update today.