In our first blog post that covered XCSSET, we discussed its relatively unique danger to Xcode developers and the way it took advantage of two macOS vulnerabilities to maximize what it can take from an infected machine.
Our research into this incident is still ongoing, and in this blog post, we cover some other aspects of its behavior. The attached technical brief includes more details of our new findings, but to summarize, we found that:
- XCSSET is capable of taking advantage of the debug mode of other browsers, similar to the behavior seen with Safari;
- It also contains potential ransomware capabilities, although this has not been implemented
Remote Debug Mode for Other Browsers
While the XCSSET specifically focused on Safari, it also included other modules that targeted other browsers. The underlying behavior is similar to the other browsers — it allows these browsers to run in a debugging/developer mode, which hijacks the browsers and perform Universal Cross-site Scripting (UXSS) attacks.
The following is a list of affected browsers (aside from Safari):
- Brave
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
- Opera
- Qihoo 360 Browser
- Yandex Browser
While XCSSET is limited to the Mac platform, the underlying behavior is present in other browsers as well. A similar attack on Windows could have a similar effect.
The best way to defend against this attack would be to limit access to the debugging mode, perhaps via some sort of password authentication. Alternately, the user should receive a notice if a remote debugger is connecting to the browser. Of the browsers above, Firefox notably does this as part of its default configuration, as seen below:
Inactive Ransomware Features
In the process of looking into the command-and-control server of XCSSET, we found additional modules that could be loaded by XCSSET. While the full details of these modules are in the technical brief, the most noteworthy module is one that does not appear to be functional, even if it was loaded: a ransomware module.
We consider this module non-functional because the line for actually carrying out encryption has been commented out:
The attacker’s reason for doing this is unclear. Based on the code analysis, it encrypts all files on the desktop, the Documents folder, and the Downloads folder (so long as they are under 500 MB). According to the ransom note, the ransom is for 0.5 BTC, or approximately US$5,700.
Trend Micro Solutions
To protect systems from this type of threat, users should only download apps from official and legitimate marketplaces. Users can also consider multilayered security solutions such as Trend Micro Maximum Security, which provides comprehensive security and multidevice protection against cyberthreats.
Enterprises can take advantage of Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity or endpoint.
Indicators of compromise may be found in the preceding entry discussing XCSSET.