Security researchers have outlined an ingenious zero-day malware attack that bypassed restrictions in Apple’s macOS operating system that alert users when webcams and microphones on their computers are accessed.
The XCSSET malware that security vendor Trend Micro analysed [pdf] in August last year infects Apple Xcode software development projects for supply-chain attacks.
It has been actively exploiting a zero-day vulnerability to take screenshots of users’ desktops, without requesting permission from them, researchers at JAMF said.
JAMF researchers Stuart Ashenbrenner, Jaron Bradley and Ferdous Saljooki said the exploit could be used by attackers to get full disk access, screen recording and other functions that would normally require explicit permissions from users, in the form of a pop-up prompt.
The malware is able to check for already-installed applications like the Zoom video conferencing software that users have granted system access permissions to.
XCSSET can piggyback on such “donor apps” to run its own malicious code to access webcams and microphones, without triggering the prompts created by Apple’s Transparency Consent and Control (TCC) framework that would normally alert users to what is going on.
A novel aspect of the malware is how it uses the AppleScript scripting language that can be used to control macOS applications.
“Much of the time the malware author leverages AppleScripts in their attack chain due to the facility in which it handles many bash commands, even downloading and/or executing Python scripts in an effort to obfuscate their intentions through a confusing use of various scripting languages,” the researchers wrote.
Apple has patched the vulnerability in macOS 11.4 and added detection for the malware in its Xprotect software.
It is not known which threat actor is behind XCSSET, which has utilised two other zero-days in the past.
One exploit bypassed the macOS system integrity protection (SIP) to download Safari browser cookies.
A second one bypassed permission prompts to install a developer version of the Safari browser, Trend Micro found.
The two latter zero-day exploits have also been patched by Apple in macOS 11.4.
Apple’s top executive in charge of software development recently raised eyebrows when he testified under oath in the court case against Epic Games that the company’s Mac platform has a level of malware “that we don’t find acceptable”.
Federighi testified that there have been 130 types of Mac malware, with one of them infecting 300,000 systems.
Nevertheless, Federighi believes the Mac is the safest possible in terms of PC-class devices.
