Malware Exploits Zero-Day Vulnerability to Capture Screenshots on Macs

Security researchers have discovered that a malware that has been around since 2020 is now abusing zero-day vulnerabilities in MacOS to take control of the media recording capabilities of MacOS systems.

The malware in question is named XCSSET and was first discovered by researchers working with Trend Micro about a year ago. The developers behind the XCSSET malware initially targeted Xcode developers and managed to set up a supply chain attack vector, with legitimate developers sometimes distributing apps already infected with XCSSET without knowing it.

The bad actors developing XCSSET are continually updating and improving the malware's capabilities, which is evident by recent infections with XCSSET on systems running Apple's new M1 SoC.

Once deployed on a victim's system, XCSSET has the ability to exfiltrate browser cookies, stealing login credentials in the process. The malware can also silently install an in-development modified version of Safari, which allows the bad actors running XCSSET to snoop on the user without issues. Both of those malicious capabilities exploited zero-day vulnerabilities.

The most recent capability added to XCSSET includes taking screenshots of whatever is displayed on the infected system's screen. This is achieved by exploiting yet another zero-day vulnerability. Apple have already fixed that vulnerability with a patch released in late May 2021.

To silently capture and transmit screenshots of the victim's display, XCSSET was acting a lot like it used to in the past. The malware would inject malicious code into legitimate applications and in this way bypass the stringent MacOS security settings when it comes to recording media on the user's system. Even though MacOS would ask for explicit permission before recording audio, video or taking screen grabs from the system, the zero-day allowed XCSSET to bypass this confirmation that requires user input.

XCSSET would commonly abuse messaging applications used for video calls that are given screen-sharing permissions all the time in their everyday use. Those include apps such as Slack, WhatsApp and Zoom. The malicious code injected by the malware would abuse the legitimate privileges given to the normal apps and inherit them on a system-wide level.

Once that has been accomplished, XCSSET would also apply a new certificate to the newly created app bundle, in order to avoid tripping the MacOS built-in defense mechanisms preventing unsigned code execution.

Even though XCSSET specifically used the now-patched zero-day vulnerability to grab screenshots, the loophole could have potentially been used for recording audio and video as well. Keystroke logging, which is inherently linked to stealing not just passwords but also banking and credit card information, was also potentially exploitable.

May 26, 2021