Almost exactly a month ago, researchers revealed that a notorious malware family exploited an unprecedented vulnerability that allowed it to bypass macOS security defenses and operate unhindered. Now, some of the same researchers claim that another malware can sneak onto macOS systems, thanks to another vulnerability.
Jamf says he found evidence that the XCSSET malware exploited a vulnerability that allowed it to access parts of macOS that required permission – like accessing the microphone, webcam, or recording the screen – without ever obtaining consent.
XCSSET was first discovered by Trend Micro in 2020, targeting Apple developers, specifically their Xcode projects which they use to code and build apps. By infecting these application development projects, developers unintentionally distribute malware to their users, in what Trend Micro researchers have described as a “supply chain attack.” The malware is in development, with newer variants also targeting Macs running the new M1 chip.
Once the malware runs on a victim’s computer, it uses two zero days – one to steal cookies from the Safari browser to access a victim’s online accounts, and another to quietly install a development version of Safari, allowing attackers to modify and snoop on virtually any website.
But Jamf says the malware was exploiting a previously unknown third day zero in order to secretly take screenshots of the victim’s screen.
macOS is supposed to ask the user for permission before allowing an app – malicious or not – to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permission prompt by sneaking under the radar by injecting malicious code into legitimate apps.
Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other applications on the victim’s computer that are frequently given screen sharing permissions, like Zoom, WhatsApp, and Slack, and injects malicious screen recording code into those apps. This allows malicious code to “overlay” the legitimate application and inherit its permissions on macOS. Then the malware signs the new set of apps with a new certificate to avoid being flagged by macOS’s built-in security defenses.
The researchers said the malware used bypassing the permissions prompt “specifically for the purpose of taking screenshots of the user’s desktop,” but cautioned that it was not limited to just letting it go. ‘screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam, or to capture their keystrokes, such as passwords or credit card numbers.
It is not known how many Macs the malware may have infected using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was available as an update today.