New Apple Zero-Day Exploit Found in XCSSET MacOS Malware

Recently patched new Apple Zero-Day exploit found used in the XCSSET malware, and the exploit allows attackers to bypass the Apple’s TCC protections via malicious applications, Also allows executing the exploit in the victim’s devices without any sort of user interaction.

Apple recently patched and released an update for 3 zero-day vulnerabilities and 2 of 3 vulnerabilities affect WebKit on Apple TV 4K and Apple TV HD devices, 3rd zero-day vulnerability used in XCSSET malware, initially discovered by Trendmicro research in 2020.

Also, GBHackers recently reported that XCSSET malware also found attacked via Xcode Projects Adapts to macOS 11 & M1-based Macs.XCSSET malware was developed, written in AppleScript – a scripting language developed by Apple – that facilitates control over script-enabled Mac applications.

TCC Framework Exploit

Apple macOS release (11.4), Apple patched a zero-day exploit (CVE-2021-30713) that bypass TCC Framework that helps other applications to access video collaboration software access to the webcam and microphone, and more.

If the attackers successfully exploit the vulnerability, they will gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent.

The recent analysis done by the Jamf Protect detection team reported that they found this exploit in XCSSET malware and the variant found in wide to attack mac users.

During this discovery, the researcher also found that XCSSET has reportedly utilized two zero-day exploits that was used to steal the Safari browser cookies and another exploit used to bypass prompts to install a developer version of the Safari application.

TCC framework performs various actions in Apple devices such as saving files to the Documents directory, recording keystrokes, and taking a screenshot. during this action, users will get the prompt asking them if they would like to grant or deny the application permission to do so.

During the analysis of the malware, researchers found an AppleScript module with the title “screen_sim.applescript”, inside of that they have also noticed a permission check called “VerifyCapturePermissions” which means that the malware searching an application that has permission to take a screenshot.

According to the report “”XCSSET Malware also targeted that if appID’s are found on the system, the command returns the path to the installed application. With this information, the malware crafts a custom AppleScript application and injects it into the installed, donor application. It does so by performing a number of functions, the most notable being called createDonorApp().

It was determined that this vulnerability is not limited to screen recording permissions either. Multiple different permissions that have already been provided to the donor application can be transferred to the maliciously created app. Researchers said.

Indicators of Compromise (IoC)

Command and Control Domains:

  • trendmicronano[.]com
  • findmymacs[.]com
  • adoberelations[.]com
  • statsmag[.]com
  • statsmag[.]xyz
  • flixprice[.]com
  • adobestats[.].com
  • titiez[.]com
  • icloudserv[.]com
  • atecasec[.]com
  • monotel[.]xyz
  • sidelink[.]xyz
  • mantrucks[.]xyz
  • linebrand[.]xyz
  • nodeline[.]xyz
Non-Compiled SHA1: 3d4fe59b9be7c2fb3ad7066bc85cda534316001c
Compiled SHA1: 15c434b0c419cda5de7dc9fd698c8fa7d8d5a2cc
Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Published by
Balaji N

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

10 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

14 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago