Trojan bundles zero-day trickery to pwn Xcode software projects

Security researchers have identified a sophisticated strain of Apple Mac malware that targets software developers.

XCSSET macOS malware, discovered in the wild by security researchers at Trend Micro, infects Xcode software development projects.

“Malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run,” an analysis of the malware by Trend Micro explains.

“This poses a risk for Xcode developers in particular.”

Supply chain attack

Some of the developers hit by the malware campaign have shared their software projects on GitHub, leading to a supply chain-like attack affecting any downstream developer that relies on compromised repositories or shared software libraries in putting together their own projects.

The attack ultimately leads to the main XCSSET malware being deployed on the affected system, creating a backdoor in the process.

The trojan leverages two zero-day (previously unknown and therefore unpatched) vulnerabilities, according to Trend Micro.

RELATED Upstream attacks on open source ecosystem up 400% as criminals compromise applications at scale

One of these vulnerabilities is used to steal cookies via a flaw in the behavior of Apple’s Data Vaults security technology, while another previous unknown vulnerability is used to abuse the development version of the Safari web browser.

Some external macOS experts have disputed whether these security flaws might properly be described as ‘zero-day’ bugs, although they did agree that the malware is unusually sophisticated.

XCSSET malware is targeting Xcode software development projectsXCSSET malware is targeting Xcode software development projects

XCSSET missile

Using various exploits, XCSSET abuses Safari and other installed browsers to steal user data.

More specifically, the malware uses the Safari development version to inject JavaScript backdoors onto websites via a universal cross-site scripting (UXSS) attack. It also uses a vulnerability to read and dump Safari cookies.

In response to questions from The Daily Swig, Brian Gorenc, senior director of vulnerability research and head of Trend Micro’s Zero Day Initiative (ZDI) vulnerability disclosure program, confirmed that abuse of “zero-day vulnerabilities in Mac malware are definitely uncommon”.

“It is more common to see malware use n-day vulnerabilities, meaning vulnerabilities that have a patch available,” Gorenc explained. “Exploits targeting developer projects have the potential to have wide-reaching impact, since one successful infection could end up affecting many.”

RECOMMENDED Apple Safari 14 introduces ‘passwordless’ logins for websites

“While there may be a low success rate on the initial infection, the possible information and access gained by even a few infections could result in a treasure trove of data returned to the attacker,” he added.

The malware is programmed to upload files from the affected machines to the attacker’s specified server, take screenshots and steal information from the user’s Evernote, Notes, Skype, Telegram, QQ, and WeChat apps.

The UXSS component of the attack lends itself to pushing arbitrary JavaScript-injected code capable of stealing Apple ID, Google, or PayPal credentials, among other exploits.


Thomas Reed, Director of Mac and Mobile at US cybersecurity firm Malwarebytes, expressed caution about whether “either of the issues described by Trend Micro are actually zero-days”.

“The Data Vault vulnerability is definitely not a zero-day, as it’s been known for a couple of years that using SSH/SCP bypasses TCC restrictions,” Reed told The Daily Swig.

“This is a known issue, but it’s been known since 2018 and may, at this point, be something that Apple considers to be working as intended.”

“I’m less sure of the WebKit [Safari browser engine] issue, but I do know that other malware has been modifying Safari for malicious purposes for some time, as we saw with a variant of Crossrider back in February,” he added.

Reed concluded: “Use of zero-days is really pretty rare on macOS.”

Read more of the latest Apple security news

Interestingly, this campaign leaves developers, rather than end-users, most at risk.

“As for the efficacy of the attack, the fact that this malware is able to infect Xcode projects means that it could be extremely dangerous to targeted developers,” Reed told The Daily Swig.

“It does not appear to be something that would affect end users through the infected Xcode projects, as far as I can tell.

“So, unlike XcodeGhost (malware from 2015), which infected applications built by developers using infected systems, this looks like it just affects the developers themselves,” he added.

Malwarebytes, which identifies the XCSSET malware as ‘DubRobber’, has recorded some but not many infections. Most of these took place in India, aside from one seemingly isolated case in China.

READ MORE When TLS hacks you: Security friend becomes a foe