XCSSET Malware targets macOS by infecting Xcode developer projects

The entry point of XCSSET malware is still unknown to researchers.

The entry point of XCSSET malware is still unknown to researchers.


Newly discovered malware by Trend Micro targets the macOS system by spreading via Xcode developer projects. Researchers explain the exploit as ‘two zero-day vulnerabilities’ wherein, the first one steals cookies through a flaw in the data vaults behavior and the second one abuses the development version of the Safari browser.

The malware named XCSSET has the ability to steal sensitive information and also launch ransomware attacks. It does this by abusing pre-installed Safari and other browsers to steal victims’ data.

Threat actors through this can easily access information from popular applications such as Skype, Evernote, WeChat, and Telegram. Not only this, but the exploit can take screenshots and also upload files from the compromised systems to the hacker’s selected server.

Furthermore, XCSSET is capable of encrypting files and showcase ransom notes if given the command. But this is just the tip of the iceberg.

See: FBI and NSA expose Russian State hacking tool for Linux systems

Another interesting aspect regarding XCSSET is that it can launch universal cross-site scripting (UXSS) attacks by injecting JavaScript code into the websites browsed by the target.


This means it can modify users’ entire web browsing experience and steal confidential information, giving the assailant the opportunity to replace cryptocurrency addresses, access payment card info from Apple store, Google, and PayPal amongst others.

The malware can also block victims from changing passwords and steal newly changed credentials. Trend Micro terms this case as ‘unusual.’

Pertaining to the fact that the malicious Trojan is injected via the Xcode project- an integrated development environment developed by Apple for macOS.  The infected Xcode projects, which when built and executed runs the malicious code with it.

The problem further intensifies when compromised projects are shared on GitHub which ensues a ripple-like effect termed by cybersecurity researchers as ‘supply chain like attack’. Affirming this, the cybersecurity solutions company found two Xcode projects infected with Malware on July 13 and 31 respectively.

See: Hackers manipulating Google searches to spread nasty Mac malware

It is noteworthy that the researchers at Trend Micro couldn’t exactly pinpoint how XCSSET actually enters the system. In a blog post, the company stated that;

‘It is not yet clear how the threat initially enters these systems. Presumably, these systems would be primarily used by developers. These Xcode projects have been modified such that upon building, these projects would run malicious code.’


Irrefutably, the code is connivingly clever usually because developers are unaware of the malicious trojan and thus obliviously distributing it to wreak havoc:

‘Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.’

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts