Jamf Blog
August 18, 2020 by Josh Stein

What is OSX.XCSSET malware and what should I do about it?

OSX.XCSSET is a novel piece of malware targeting macOS users, and its initial infection vector is unknown. Here's what you can do about it.

It’s time again for a new family of Mac specific malware: XCSSet. Trend Micro wrote up a great report on its inner workings.

Let’s learn a bit more about it.

Discovery

OSX.XCSSET is a novel piece of malware targeting macOS users. Interestingly it was discovered by Trend Micro within a developer’s Xcode project, highlighting its propensity for subverting developer environments. This allows it to easily spread by hitching a ride on a variety of legitimate software.

It’s good that the developer noticed the change in their code, or else we’d all be dealing with an infection that we didn’t even know existed.

So how does it get there?

Exploiting 0-days

While we still don’t know the full infection chain of attack, we do know that XCSSet leverages two novel 0-day exploits to bypass secruity and privacy mechanisms. Of course, this story is still developing, so by the time you’re reading this, we may know more…

Our own Patrick Wardle succinctly explained the exploits via tweet: https://twitter.com/patrickwardle/status/1294168036975366145

This is pretty impressive. The malware leverages the SSH daemon’s default permission to access arbitrary files on your Mac’s disk to touch files that normally require user permission. By tricking SSH to access these files, XCSSet can silently grab Safari’s cookies. While it leverages this information primarily to get access to more of the system, it puts a variety of user information at risk as well.

The second exploit leverages a developer specific tool. If the device doesn’t already have the SafariForWebKitDevelopment component installed, the malware goes and downloads it. With this, it can utilize Safari’s extensive capabilities without being hindered by the usual sandbox. By combining these exploits, XCSSet effectively has all the tools it needs to run arbitrary code and touch every file on the system, neatly sidestepping the strong defenses in macOS.

I think I’m infected; what kind of damage can this thing do?

XCSSet is quite versatile as far as malware goes. It allows for a variety of actions to be performed on the infected device by an attacker. These include:

  • Injecting malware code into local developer source repositories
  • Collect Safari cookie data
  • Opening backdoors that masquerade as a variety of different browsers
  • Running arbitrary scripts (one such script has been observed to collect enduser login credentials and credit card details)
  • And even an update mechanism to allow the attacker to ensure all active installations have the latest capabilities.

See more details on its capabilities at: https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf

IOCs (Indicators of Compromise)

Everyone is taking this threat very seriously. Apple released new XProtect signatures to identify the malware based on certain strings within the malware code:

 rule XProtect_MACOS_2070d41 

{

 meta:

 description = "MACOS.2070d41" 

 strings:

 $a = "FasdUAS" 

 $b1 = "curl --connect-timeout 10 -ks -d " 

 $b2 = "/agent/log.php" 

 $b3 = "X-Module: " 

 $b4 = "X-User: " 

 condition:

 $a at 0 and filesize < 100KB and all of ( $b* ) 

}

Hashes for specific known variants and known Command&Control IPs have also been reported by Trend Micro:

(Source: (https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf))

For Jamf Protect customers, the known hashes have been added to the threat prevention database as variants have been identified, while both novel 0-day exploits are now covered by specific Analytics to catch unknown variations of XCSSet.

What should I do to keep my devices safe?

Apple updated XProtect on July 13th to cover this specific malware (Xprotect 2126; current is 2128). If your devices have updated their XProtect signatures, known variants should be stopped. If you are a Jamf Protect customer, you can find which devices have out of date XProtect in Insights in the Jamf Protect console.

For any devices that have not received this XProtect update, please ensure that they are configured to “Install system data files and security updates” in macOS’ Software Update configuration. Jamf Pro can help push that setting out to vulnerable devices.

Ensure your security tools have been updated to include this new threat. This should include new behavioral indicators, as appropriate, to catch new variants and copy cats of the techniques utilized in this malware. As we already detailed above, Jamf Protect will prevent known variants of XCSSet and detect unknown threats using the tactics discovered in these new 0-day exploits.

Our threat research team is actively monitoring these developments and adding new analytics as we find better ways to detect this new family of malware.

Want to get started with Jamf Protect?

Photo of Josh Stein
Josh Stein
Jamf
Josh Stein is the director of product strategy for Jamf Protect.
Other authors:
Matthias Wollnik
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.