Posted on May 25, 2021 at 5:09 PM
Apple recently patched a zero-day vulnerability that enables threat actors to record video or take screenshots of the user’s screen. According to security researchers at Jamf, who first uncovered the flaw, the hackers circumvented Apple’s Transparency Consent en route to the attack.
The security team reiterated that the flaw may have been already exploited in the wide. As a result, it leaves the systems of affected users open to more attacks.
The vulnerability was discovered while Jamf was looking for a strain of Mac malware named XCSSET, which uses infected Xcode projects to target macOS developers.
According to the researchers, the flaw could enable a threat actor to seize permissions granted to other apps. For instance, a hacker can use a malicious app to hijack the Zoom app, which already has recoding permissions. They can then use it to record the user’s screen.
The XCSSET malware was first discovered last year by Trend Micro when it was seen targeting Apple developers.
But the impactful discovery can be traced back to March when researchers from SentinelOne discovered a new trojanized code library that installed the XCSSET surveillance malware on developer Macs.
Malware is piggybacking parent apps
In an interview, Jamf researcher Jaron Bradley stated that some developers design their apps with smaller applications installed within them. But threat actors are planting their malware to piggyback the parent apps.
As a result, the developers are unknowingly distributing the malware to their users since the projects have already been infected by the malware.
Trend Micro researchers called the malware process a “supply-chain-like attack” According to the researchers, the threat actors keep bringing up new strains of the malware regularly, with the more recent variants seen targeting Macs running the M1 chip.
The malware uses two zero-days when it starts running on the victim’s computer – the first being to access the victim’s online accounts by stealing cookies from the Safari browser. The second is to install a development version of Safari in the background, which enables the threat actors to modify almost any type of website.
Generally, the macOS should ask the user to allow permission before any app is allowed, whether malicious or not.
If the app wants to open the user’s storage, access the webcam or microphone, or record the screen, the user is asked for permission before any of these actions are executed. However, the malware circumvented the permissions prompt by hiding under the radar by infecting legitimate apps with malicious code.
Malware evades MacOs security defenses
According to Jamf researchers – Stuart Ashenbrenner, Ferdous Saljooki, and Jaron Bradley – the malware also searches for other apps on the victim’s computer. These apps, such as Slack, WhatApp, and Zoom, can also be bypassed without any permission asked.
Afterward, the malware tries to avoid being flagged by signing a new certificate on the new app bundle. This automatically evades the macOS built-in security defenses.
The permissions prompt bypass was used by the threat actors to take screenshots of the user’s desktop. Apart from such action, the malware can also carry out other activities on the victim’s computer, as it can be used to access their credit card numbers through keylogging.
The vulnerability has been patched
The researchers say the threat actors have already infected several Macs using the technique, but the actual numbers of victims are not known. However, Apple stated that the vulnerability in macOS 11.4 has been fixed and made available for users as an update.
The attack came in the form of malicious projects that the threat actor wrote for Xcode. An Xcode is a repository for information, resources, and all files required to build an app. Apple provides the tool for free for developers writing MacOS apps.
When any of the XCSSET projects are executed, the malicious code starts running on the developers’ Macs.
The flaw came from a logic error that enabled XCSSET to hit itself inside the directory of an installed app. This gave the malware the complete passage to inherit screenshot permissions and other privileges.