macOS Zero-Day Exploited: Malware Steals Screenshots

New macOS Vulnerability Exploited by XCSSET Malware

Approximately one month ago, security researchers disclosed a previously unknown vulnerability being exploited by a significant malware family. This flaw allowed the malware to circumvent standard macOS security protocols and operate without restriction.

Now, the same research team reports that another malware strain is capable of infiltrating macOS systems, leveraging a separate vulnerability.

XCSSET Malware and Unauthorized Access

Jamf has identified evidence indicating that the XCSSET malware was exploiting a vulnerability granting it access to sensitive macOS functionalities. This included accessing the microphone, webcam, and screen recording capabilities, all without obtaining user consent.

Initially discovered by Trend Micro in 2020, XCSSET primarily targeted Apple developers and their Xcode projects—the tools used for app coding and development.

By compromising these development projects, the malware could be unknowingly distributed to end-users, constituting a “supply-chain-like attack” as described by Trend Micro researchers.

The malware continues to evolve, with recent iterations also targeting Macs equipped with the newer M1 chip.

Zero-Day Exploits and Stealthy Operation

Once executed on a compromised system, XCSSET utilizes multiple zero-day vulnerabilities. These include one for stealing cookies from the Safari browser, granting access to online accounts, and another for installing a development version of Safari.

This allows attackers to modify and monitor virtually any website visited by the user.

Jamf’s findings reveal a third, previously unknown zero-day vulnerability exploited by the malware to secretly capture screenshots of the victim’s screen.

macOS typically requires explicit user permission before allowing applications to record the screen, access audio/video input, or access user storage.

Bypassing Security Measures

However, XCSSET bypassed these permission prompts by injecting malicious code into legitimate applications.

Researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner of Jamf detailed in a blog post that the malware identifies applications frequently granted screen-sharing permissions—such as Zoom, WhatsApp, and Slack.

It then injects malicious screen recording code into these apps, effectively “piggybacking” on their existing permissions within macOS.

To evade macOS’s built-in security defenses, the malware subsequently signs the modified app bundle with a new certificate.

Potential for Broader Exploitation

The researchers emphasize that while the permission bypass was specifically used for screen capture, the vulnerability wasn’t limited to this function.

The same flaw could potentially be exploited to access the microphone, webcam, or capture sensitive user input like passwords and credit card details.

The extent of the malware’s impact remains unclear, but Apple has confirmed a fix for this vulnerability was included in the macOS 11.4 update, released today.