A new form of Mac malware called XCSSET is slowly getting its way thru Xcode, which is a IDE used in MacOS to developed Apple-related softwares and freely available. So if you are a MacOS developer, you need to be very careful and read this.
"Presumably, these systems would be primarily used by developers," the team noted. "These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system."
Below is a summary of the routines we have identified:
• Manipulates browser results
• Manipulates and replace found bitcoin and other cryptocurrency addresses
• Replaces the Chrome download link with a link to an old version package
• Steals Google, Yandex, Amocrm, SIPmarket, Paypal, and Apple ID credentials
• Steals credit card data linked in the Apple Store
• Prevents the user from changing password but can also record the new password if it is changed
• Takes screenshots of certain accessed sites
You can read the paper here:
https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf
