The new Apple ARM-based M1 chip has generated a lot of enthusiasm from the company’s hardware-obsessed fans, but it has also attracted the attention of malware authors who have wasted little time in adapting their creations to the new architecture. Several malware variants capable of running on the new platform have emerged already, and now researchers have come across a version of the existing XCSSET malware that runs on M1 Macs and has some interesting abilities to bypass security protections.
XCSSET first emerged in August 2020 when researchers at Trend Micro discovered a malware sample that used exploits for two zero day vulnerabilities and was injecting malicious code into Xcode projects built on victims’ machines. The malware initially targeted developers and was spreading from project to project as victimized developers shared their projects publicly.
“The threat escalates since we have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects,” Trend Micro researchers wrote in an analysis of the initial malware.
“The method of distribution used can only be described as clever. Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.”
Not long after the initial discovery, researchers found a variant of XCSSET that used an additional exploit to target browsers on macOS and set up a universal XSS injection. A newer version of XCSSET is circulating with capabilities against both x86 and ARM M1 chips on macOS. In March, Kaspersky unearthed an XCSSET sample that included those new capabilities and further analysis by Trend Micro researchers shows that this variant also has the ability to slide past some of the new security features in macOS 11 Big Sur. One of the defenses Apple added in Big Sur is a requirement that any executable that runs has to be signed, a feature that’s meant to prevent modified or malicious executables from running.
“But as we have seen from its source code, the malware can cleverly circumvent macOS 11's new security policies: Its fake apps and files are codesigned with an ad-hoc signature using the codesign --force --deep -s - command. The malware then downloads its own open tool from its C&C server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps,” a new analysis from Trend Micro says.
The newest variant of XCSSET includes some other updates, as well. Most notably, a change in the way that the malware names the malicious code that’s inserted into Xcode projects on infected machines.
“The replicator.applescript module infects Xcode developer projects by inserting a function that calls its malicious components during the build phase or the build rule. In previous versions, these code snippets inserted in the build phase or build rule were assigned hard-coded IDs, but this latest iteration added a new function that automatically generates random IDs. According to its logic (Figure 13), this random ID will always end with the postfix “AAC43A,” which is used to identify and remove the old infection snippet in preparation for a new infection,” the Trend Micro analysis says.
“The bystander binaries did nothing, so right now it’s a fully mature distribution network that delivers nothing,” Tony Lambert, an intelligence analyst at Red Canary, said.