XCSSET MacOS Malware

Recently patched new Apple Zero-Day exploit found used in the XCSSET malware, and the exploit allows attackers to bypass the Apple’s TCC protections via malicious applications, Also allows executing the exploit in the victim’s devices without any sort of user interaction.

Apple recently patched and released an update for 3 zero-day vulnerabilities and 2 of 3 vulnerabilities affect WebKit on Apple TV 4K and Apple TV HD devices, 3rd zero-day vulnerability used in XCSSET malware, initially discovered by Trendmicro research in 2020.

Also, GBHackers recently reported that XCSSET malware also found attacked via Xcode Projects Adapts to macOS 11 & M1-based Macs.XCSSET malware was developed, written in AppleScript – a scripting language developed by Apple – that facilitates control over script-enabled Mac applications.

TCC Framework Exploit

Apple macOS release (11.4), Apple patched a zero-day exploit (CVE-2021-30713) that bypass TCC Framework that helps other applications to access video collaboration software access to the webcam and microphone, and more.

If the attackers successfully exploit the vulnerability, they will gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent.

The recent analysis done by the Jamf Protect detection team reported that they found this exploit in XCSSET malware and the variant found in wide to attack mac users.

During this discovery, the researcher also found that XCSSET has reportedly utilized two zero-day exploits that was used to steal the Safari browser cookies and another exploit used to bypass prompts to install a developer version of the Safari application.

TCC framework performs various actions in Apple devices such as saving files to the Documents directory, recording keystrokes, and taking a screenshot. during this action, users will get the prompt asking them if they would like to grant or deny the application permission to do so.

During the analysis of the malware, researchers found an AppleScript module with the title “screen_sim.applescript”, inside of that they have also noticed a permission check called “VerifyCapturePermissions” which means that the malware searching an application that has permission to take a screenshot.

According to the report “”XCSSET Malware also targeted that if appID’s are found on the system, the command returns the path to the installed application. With this information, the malware crafts a custom AppleScript application and injects it into the installed, donor application. It does so by performing a number of functions, the most notable being called createDonorApp().

It was determined that this vulnerability is not limited to screen recording permissions either. Multiple different permissions that have already been provided to the donor application can be transferred to the maliciously created app. Researchers said.

Indicators of Compromise (IoC)

Command and Control Domains:

  • trendmicronano[.]com
  • findmymacs[.]com
  • adoberelations[.]com
  • statsmag[.]com
  • statsmag[.]xyz
  • flixprice[.]com
  • adobestats[.].com
  • titiez[.]com
  • icloudserv[.]com
  • atecasec[.]com
  • monotel[.]xyz
  • sidelink[.]xyz
  • mantrucks[.]xyz
  • linebrand[.]xyz
  • nodeline[.]xyz
Non-Compiled SHA1: 3d4fe59b9be7c2fb3ad7066bc85cda534316001c
Compiled SHA1: 15c434b0c419cda5de7dc9fd698c8fa7d8d5a2cc