Mac malware exposed: XCSSET, an advanced new threat
Posted on August 24th, 2020 by Joshua Long
Over the past two weeks, Intego has been actively investigating XCSSET (aka MACOS.2070d41) — an intriguing new Mac malware specimen.
This unique malware, which seems to primarily target app developers (but can infect any Mac user), has a wide range of abilities. Among them, it can exploit zero-day vulnerabilities, hijack browsers, steal passwords, take screenshots, and exfiltrate data.
Let’s explore everything you need to know about the latest Mac malware threat.
In this article:
- How does XCSSET malware spread?
- What does XCSSET malware do? How is it unique?
- Which vulnerabilities does XCSSET exploit, and what are the implications?
- How long has XCSSET been in the wild? How many victims are there?
- Is XCSSET still an active threat?
- Apple knew about XCSSET, but did not coordinate with the antivirus industry
- How can Mac users avoid getting infected with XCSSET?
- How can XCSSET malware be removed?
- Indicators of compromise
- How can I learn more?
How does XCSSET malware spread?
The primary method of infection is user-downloaded Xcode projects. If an XCSSET-infected Xcode project is opened and built, malicious code will run on the developer’s Mac.
However, it’s important to note that XCSSET can also spread via maliciously modified apps. This means that you don’t necessarily have to be a developer—and you don’t need to have Xcode installed—to get infected.
What does XCSSET malware do? How is it unique?
“XCSSET” (which Intego VirusBarrier detects as OSX/XCSSET.A) is recently discovered Mac malware with a variety of capabilities and some unique traits.
One of the most interesting things about XCSSET is that its main target seems to be developers who use Apple’s Xcode app. An Xcode project infected by XCSSET can lead to malicious code being executed on a developer’s computer.
While it is not entirely clear why developers are being targeted, one plausible theory is that it may be an attempt at wider distribution of the malware. If a developer’s Mac is infected with XCSSET, the infection can spread to any Mac app the developer creates—which in a sense can make the developer an unknowing distributor of XCSSET malware. If a developer’s users were to get infected, this would be a huge boon for the malware maker, because they would have many more computers to exploit, and they could leverage XCSSET’s backdoor and browser hijacking capabilities to install other malware on infected systems.
XCSSET attempts to steal passwords from victims’ Apple ID, Google, Paypal, and other accounts.
All of these attempts at credential stealing are facilitated by installing a Trojanized version of Safari that injects malicious code from an attacker-controlled server into pages the victim visits. This gives the attacker carte blanche; they can do essentially anything they want with your Safari browsing experience. A couple of interesting examples coded into the malware include: attempting to steal credit card data when a victim accesses the Apple Store, and replacing the Chrome download link so the victim will receive an older (and thus insecure) version.
The Trojanized version of Safari also has the capability of replacing Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), and Tether (USDT) cryptocurrency addresses in Web pages, with the intent of stealing money. Notably, as of the time of this writing, no transactions have occurred to the attacker’s Bitcoin or Ethereum/Tether addresses since the malware campaign is believed to have started in June (the last transactions were in May), and the attacker’s Litecoin address seems to have never been used.
And just in case the victim doesn’t use Safari, XCSSET also has the capability of installing Trojanized versions of many other Mac browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, 360 (a Chinese browser), and Yandex (a Russian browser).
XCSSET also attempts to exfiltrate data from apps such as Apple Notes, Evernote, Skype, Telegram, and WeChat. Perhaps this is of interest to the malware maker because many people store passwords or sensitive information in notes applications, or occasionally send messages of a confidential or private nature to loved ones, trusted friends, or colleagues via direct messaging services.
The malware maker also seems interested in tracing victims’ human connections; XCSSET can export a victim’s contacts from Skype, Telegram, Tencent QQ, and WeChat. The latter two are popular instant messaging apps in China.
Other capabilities of XCSSET include the ability to take screenshots, and the ability to exfiltrate data to an attacker-controlled server.
Last but not least, XCSSET exploits two zero-day vulnerabilities related to Safari, as described below.
Which vulnerabilities does XCSSET exploit, and what are the implications?
XCSSET is known to exploit two different zero-day vulnerabilities.
The first vulnerability enables XCSSET to steal Safari browser cookies. While most people think of browser cookies as an annoying tracking device, they can also be used to maintain your login state for sites you use—meaning that if someone steals your cookies, in some cases they could use them on another computer to be automatically logged into your accounts. (This concept of cookie stealing was the basis of Firesheep, a Firefox extension from 2010 that—in the pre-HTTPS-everywhere world—enabled any would-be hacker to hijack accounts of anyone else connected to the same open Wi-Fi network.)
While Apple supposedly protects Safari’s cookies database using macOS’s System Integrity Protection (SIP), it turns out that this is relatively easy to bypass, as long as the user’s account is a local admin—which is almost always the case. The vulnerability seems to be based on Phil Stokes’ research from September 2018, also detailed by Howard Oakley that November, into how macOS automatically grants Full Disk Access permission to Remote Login (ssh) when the feature is enabled. Oakley has written a follow-up article regarding the vulnerability’s use in XCSSET. He also explains how users can manually mitigate the vulnerability, in case Apple continues to leave it unpatched (Apple has already ignored it for nearly two years).
The second vulnerability that XCSSET exploits is also related to Safari. By deleting the Safari Session State Key, and re-adding it while invoking the non-sandboxed development version of Safari, XCSSET can evidently run privileged malicious code without authorization from the victim.
When unpatched vulnerabilities are caught being used in malware, this is often a sign of a more sophisticated attacker than your run-of-the-mill adware or spyware developer. Vulnerabilities can often be sold to bug bounty programs (like Apple’s own Security Bounty) or on the black market for a pretty penny. Throwing away a potential opportunity to profit from reporting a vulnerability often indicates that the attacker’s primary motivation may not be financial. And if the main motivation isn’t making money, this is often a sign that the attacker may be a nation-state threat actor (or may be sponsored by one). It is currently unclear whether that is the case with XCSSET, however.
How long has XCSSET been in the wild? How many victims are there?
XCSSET malware has evidently been spreading in the wild since at least July 13, 2020, with possible indications that it may have been in the wild since June 19 or 20, if not earlier.
At least two Xcode projects that were infected with XCSSET in July have been observed in public GitHub code repositories. Furthermore, by mid-August at least 380 victim IP addresses had been collected by the threat actor that distributed the malware.
Note that these numbers might underrepresent the actual infections in the wild; this should be considered the minimum number of in-the-wild infections, based on what we know at this time. Moreover, assuming that many of the victims are developers who make and distribute Mac apps, even numbers in the hundreds should be rather concerning given that their apps may unintentionally spread XCSSET malware to their end-users.
Components of the malware were uploaded to VirusTotal as early as June 19, 2020. Many zip-compressed Xcode projects were first uploaded to VirusTotal on June 20. This suggests at least two possibilities: perhaps the malware maker may have been testing to see whether the projects would be detected, or perhaps many victims had downloaded infected Xcode projects on the same date and all decided to scan them for known malware.
As we will explore, as recently as August 23 there has been domain name registry activity for domains affiliated with this malware campaign, which seems to indicate that an XCSSET malware campaign may still be active.
Is XCSSET still an active threat?
Three domains confirmed to be associated with XCSSET changed their host IP and name servers on August 20, 2020, and again on August 22 for one domain and August 23 for the two well-known domains.
This suggests that the malware creator may still be actively using the domains in an existing malware campaign, or may be planning to reuse the domains for further malicious activities.
Specifically, the domains adobestats[.]com, flixprice[.]com, and titiez[.]com switched from DigitalOcean to Vultr on August 20, 2020. An IP address (46.101.126[.]33) to which the malware communicated until August 20 was within a block of IP addresses owned by DigitalOcean. We observed that all three domains began to be hosted at a Vultur IP address (95.179.160[.]42) instead.
Intego contacted DigitalOcean to inquire whether they had taken action against the party that had been using their name servers and host IP address. Meanwhile, Intego informed Vultr that the XCSSET malware campaign had begun using their servers. We also reached out to GoDaddy, the registrar for the three aforementioned domains, to inform them of the domain registrant’s malicious activities.
So far we have not yet received statements from DigitalOcean, Vultr, or GoDaddy. However, it appears that Vultr took action against the malicious party, because the threat actor has once again switched servers. On August 22, titiez[.]com switched to a German-hosted Hetzner Online server (94.130.27[.]189), and on August 23, adobestats[.]com and flixprice[.]com switched to a Russian-hosted Vscale.io server (82.148.30[.]108).
- WHOIS history for adobestats[.]com as of Aug 24
- WHOIS history for flixprice[.]com as of Aug 24
- WHOIS history for titiez[.]com as of Aug 24
Oleksandr Shatkivskyi and Vlad Felenuik, two researchers who discovered the malware independently from Apple, speculate that XCSSET-infected apps could end up in the Mac App Store. This currently remains conjecture, and has not been demonstrated to have occurred yet.
Apple knew about XCSSET, but did not coordinate with the antivirus industry
Built into macOS is a malicious download blocker known as XProtect, which blocks a limited number of threats under limited circumstances (i.e. it isn’t a reliable replacement or substitute for real-time scanning antivirus software).
Apple updated XProtect on July 13, 2020 to add a signature for mystery malware that Apple called “MACOS.2070d41.” Intego’s malware researchers scoured malware repositories and consulted with researchers from across the anti-malware industry about this unknown threat. The consensus was that Apple had not reached out to anyone to share samples or any information whatsoever about this new malware.
Apple's XProtect update (v2126) contains a new signature: "MACOS.2070d41"
Looks for compiled AppleScript, w/ strings such as "curl –connect-timeout 10 -ks -d"
0 hits on @virustotal 🙁 @AppleSupport, can you share info/hashes w/ others looking to help protect macOS users? 🙃 pic.twitter.com/LQhxeqmT3z
— patrick wardle (@patrickwardle) July 14, 2020
In some cases Apple deploys XProtect signatures far too late to offer any meaningful protection. In this case, however, Apple deployed a signature for a threat that only Apple knew about, without providing any useful information that could help others avoid this threat or potential variants of it.
Apple’s decision to not share any details or samples with anyone in the Mac malware analysis community or any reputable antivirus companies means that all Mac users had very limited protection against XCSSET for an entire month after Apple released its signature—which was nearly two months after the malware was apparently first uploaded.
Furthermore, because of Apple’s silence, Mac-using developers were not aware during these two months that they should be cautious about downloading Xcode projects. Apple is preparing to launch its new macOS Big Sur operating system this fall, and as such, this is a prime time for devs to actively work on updating their software. Even if XProtect might have been able to protect developers from the original variant of the threat in some circumstances, any new variants could have easily bypassed XProtect and left Apple customers completely vulnerable.
Thankfully, the anti-malware community eventually found samples on its own and can now offer more robust and complete protection than Apple’s XProtect is able to provide.
We reached out to Apple to inquire about the company’s original source of information about the threat, and whether Apple had notified anyone in the industry about it, and if not, why Apple chose to keep to itself important information about an active malware threat.
Apple had not yet responded to these inquiries at the time this article was published. However, we have since begun a dialogue with an Apple press contact, and we may update this article if Apple wishes to make a public statement in response to these concerns.
How can Mac users avoid getting infected with XCSSET?
Mac developers should only download Xcode projects from trusted sources, and should use up-to-date antivirus software with real-time scanning, such as Intego VirusBarrier, to avoid becoming infected with XCSSET.
Non-developers should be aware that XCSSET malware can spread through infected apps, too. This means that even if you’re not a developer, your Mac can still get infected with XCSSET malware if you download an app that happens to be infected.
Regardless of whether or not you’re a developer, there are a couple of things all Mac users can do to avoid infection. First, whenever possible you should download apps from sources that are generally trustworthy, such as the Mac App Store or directly from a trusted developer’s site. Second, you should stay protected by using real-time scanning anti-malware software and ensuring that it frequently checks for and installs updates.
How can XCSSET malware be removed?
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this malware.
Note: Customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected. It is best to upgrade to the latest version of macOS if possible to ensure your Mac gets all the latest security updates from Apple.
Indicators of compromise (IoCs)
Generally, the best way to know if your Mac is infected is to scan your Mac with VirusBarrier. However, some advanced users and network administrators may find it helpful to have additional ways of detecting the presence of this malware.
Some paths that have been observed so far from this malware campaign include the following (note that “~” indicates the user’s home directory, e.g. /Users/username; also a “/” at the end indicates a folder or app bundle that contains additional files):
~/Library/Caches/GameKit/.domain (hidden file) ~/Library/Caches/GameKit/.report (hidden file) ~/Library/Caches/GameKit/[number].jpg (screenshot taken by the malware) ~/Library/Caches/GameKit/Pods ~/Library/Containers/com.apple.routerd/ ~/Library/CoreFrameworks/bin1 ~/Library/CoreFrameworks/com.apple.core.sound.app/ ~/Library/CoreFrameworks/Pods ~/Library/Application Scripts/com.apple.AddressBook.Shared/Containers/ ~/Library/Application Scripts/com.apple.AddressBook.Shared/CoreFrameworks/ ~/Library/Application Scripts/com.apple.AddressBook.Shared/Xcode.app/ ~/Library/Application Support/iCloud/Containers/ ~/Library/Application Support/iCloud/Xcode.app/
The following domains and IP addresses have been observed to be directly affiliated with this malware campaign:
titiez[.]com — first reported by Intego adobestats[.]com flixprice[.]com 82.148.30[.]108 — first reported by Intego 94.130.27[.]189 — first reported by Intego 95.179.160[.]42 — first reported by Intego; not in use after Aug 23 46.101.126[.]33 — not in use after August 20
Any recent network traffic to or from these addresses should be considered a possible sign of an infection.
The following SHA-256 file hashes are a small sampling of known XCSSET files. All of these samples are available to registered VirusTotal users with malware researcher accounts:
994994e53ea86ab93ca9b8b4cf95002f1d9fff438c1d8eb52c6c54d7bf6c0bf8 * 6c930ba208696a7fb0293f6a3b7d131d65bda42eefdb7d20c88ee57f3820a4f7 6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6 ** 6fa938770e83ef2e177e8adf4a2ea3d2d5b26107c30f9d85c3d1a557db2aed41 ** ac3467a04eeb552d92651af1187bdc795100ea77a7a1ac755b4681c654b54692 ** d11a549e6bc913c78673f4e142e577f372311404766be8a3153792de9f00f6c1 ** *first reported by Intego **widespread or previously documented sample
For additional file hashes (some of which may not be available in public repositories), you can refer to either the blog post or PDF mentioned below.
How can I learn more?
For a more technical analysis of this malware, you can refer to this blog post and this technical brief PDF from Trend Micro. You can also read Phil Stokes’ write-up and Howard Oakley’s write-up of the ssh Full Disk Access vulnerability discovered in 2018, and Oakley’s recent write-up regarding XCSSET’s use of that vulnerability.
You may also be interested in MacRumors’ interview of Trend Micro’s Oleksandr Shatkivskyi and Vlad Felenuik, wherein they posit that XCSSET could potentially make its way into the Mac App Store.
We discussed the new XCSSET malware on episode 149 of the Intego Mac Podcast—be sure to subscribe to make sure you don’t miss any episodes. You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.
You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).
Photo credits: Physical representation of crypto coins photo adapted from Cryptocurrencies on a computer parts by Marco Verch, licensed under CC BY 2.0.