Security news that informs and inspires

Apple Fixes MacOS Flaw Abused in XCSSET Malware Attacks

By

Apple has released a patch in its latest version of macOS, Big Sur version 11.4, addressing an actively exploited flaw. The vulnerability could allow attackers to access various sensitive application permissions without victims' consent - enabling them to secretly take screenshots or record videos of victims' screens, for instance.

Researchers with Jamf, who discovered the vulnerability, said in a Monday analysis that they uncovered the flaw being abused by attackers while analyzing the XCSSET malware. The malware, already installed on victims' systems, was using the bypass flaw to take screenshots of users' desktops without requiring additional permissions.

"By leveraging an installed application with the proper permissions set, the attacker can piggyback off that donor app when creating a malicious app to execute on victim devices, without prompting for user approval," said Stuart Ashenbrenner, Jaron Bradley and Ferdous Saljooki with Jamf.

The flaw (CVE-2021-30713) could allow cybercriminals to bypass the Transparency Consent and Control (TCC) framework, which is the system in charge of prompting Apple users when an application attempts to perform an action requiring their explicit permission. For instance, TCC is behind the prompts that ask users if video collaboration software can access their devices’ webcams and microphones. Once the users give consent, the application is then given permission to carry out the action via the system preferences.

Researchers discovered a module written in AppleScript - Apple’s scripting language - that was being used to bypass TCC protections. The module hunted out applications with permissions to capture screenshots, and then used the mdfind command — Apple’s find routine, which searches for files based on their contents as stored in the Spotlight index — to check if the application IDs are installed on the victim’s device.

“If any of the appID’s are found on the system, the command returns the path to the installed application,” according to researchers. “With this information, the malware crafts a custom AppleScript application and injects it into the installed, donor application.”

“The vulnerability can then be triggered fairly easy so long as there is a pre-existing application that has the permissions it would like to piggyback on."

Ashenbrenner said that this is a local exploit, meaning that in order to leverage the flaw, the attacker must have already managed to gain access to the system. Due to a lack of validation by TCC, the malicious application can “piggyback” off the parent application, such as Zoom, allowing it to take screenshots or record the screen without needing explicit consent from the user, said researchers.

Because the exploit is piggybacking off of another application's permissions, it's somewhat trivial," said Ashenbrenner. "Since the exploit can only be performed locally the attacker must have already found a way to get onto the system. The vulnerability can then be triggered fairly easy so long as there is a pre-existing application that has the permissions it would like to piggyback on.

In its security advisory for Big Sur, Apple said that the permissions issue was fixed with “improved validation.”

The XCSSET malware, which was first uncovered in August, targets Mac developers by infecting Xcode products using zero-day vulnerabilities in order to spread. The malware has various capabilities, including reading and dumping Safari cookies; stealing information from victims’ apps, such as Evernote, Telegram, Skype, Notes, QQ and WeChat; taking screenshots of the victims’ current screen and in some cases encrypting files and showing a ransom note. In April, researchers uncovered a new variant of the XCSSET malware that runs on M1 Macs and has some interesting abilities to bypass security protections.

One of the fascinating aspects of the XCSSET malware is its use of AppleScript, said Ashenbrenner.

We've traditionally seen malware leverage programming languages like bash or Python, but the use of AppleScript is both abnormal and novel," he said. "AppleScript is incredibly underrated in both its usefulness and power, and for a strain of malware to have quite advanced use of it makes it all that more difficult for traditional AV vendors to detect.

Monday's patch is one out of several fixes that Apple issued across several products, including macOS, Safari, iOS, tvOS and watchOS. Two other vulnerabilities that were being actively exploited were also fixed by Apple, including a WebKit memory corruption issue (CVE-2021-30665) and an integer overflow vulnerability (CVE-2021-30663), both affecting Apple TV 4K and Apple TV HD.

It’s only the latest flaw under active attack by cybercriminals to be fixed by Apple. In April, Apple issued a fix for a zero-day vulnerability in macOS, which was being actively exploited by cybercriminals for months in order to distribute the Shlayer malware. And earlier in May, Apple released an emergency update that included fixes for two WebKit vulnerabilities that were being actively exploited.

Ashenbrenner said that over the course of the past few years, researchers have seen an increasing demand for Apple products in the market, which in turn has made them become more of a target for malware developers.

With this in mind, researchers with Jamf urged users to “‘patch fast and patch often,’ as Apple recently patched this issue to keep malware like XCSSET from abusing this vulnerability in the future, for Mac computers running macOS 11.4 or later.”