The malware is still being created, with more recent versions targeting Macs equipped with the newer M1 chip. If installed on a victim’s computer, the malware employs two zero-day exploits: one to harvest cookies from the Safari browser in order to gain access to the victim’s online accounts, and another to secretly instal a development version of Safari, enabling the attackers to change and snoop on almost every website. However, Jamf claims that the malware was remotely taking snapshots of the victim’s computer by leveraging a previously unknown third-zero day.
In the TechCrunch reports:
Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission – such as accessing the microphone, webcam, or recording the screen – without ever getting consent. XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.”