Malware Caught using a MacOS Zero-Day to Secretly Take Screenshots

Malware Caught using a MacOS Zero-Day to Secretly Take Screenshots

About a month ago, researchers revealed that a notorious malware family had exploited an unprecedented vulnerability that allowed it to bypass the macOS defense and run uninterrupted. Now, some of the same researchers have said that another malware could hit macOS systems for vulnerability. Jamf said it found evidence that XCSSET malware was using a vulnerability that allowed access to parts of macOS that needed permission – such as accessing a microphone or screen recording – without consent.

XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to create codes and applications. This app infects development projects, developers unknowingly distribute malware to their users, Trend Micro researchers have described as a “supply-chain-like attack”.

Malware Caught using a MacOS Zero-Day to Secretly Take Screenshots
Malware Caught using a MacOS Zero-Day to Secretly Take Screenshots

The malware continues to evolve, with the latest forms of malware targeting Macs with newer M1 chips. Once the malware has run into the victim’s computer, it uses two zero days – one to steal cookies from the Safari browser to gain access to the victim’s online account and the other to quietly install a development version of Safari, allow attackers to modify and snoop virtually any website. 

Jamf, however, said the malware was secretly wasting a third-zero day of investigation to take screenshots of the victim’s screens. MacOS is thought to have asked the user for permission before any application – malicious or otherwise – could record the screen, access the microphone or webcam, or open the user’s storage. Malware, however, injects malicious code into legitimate applications by hiding it under the radar and exceeding permissions. 

In a blog post shared with TechCrunch by Jim Bradley, Ferdous Saljooki, and Stuart Ashenbrenner, JAMF researchers explain that malware searches for other applications on a victim’s computer that often allow screen-sharing applications such as Zoom, WhatsApp, and Slack code. 

This allows the malicious code to “piggack” the legitimate app and inherits its permissions across Max. Then, to avoid being flagged by macOS internal security defenses, the malware signs a new application bundle with a new certificate. The researchers said the malware used “prompt bypasses of permissions specifically for the purpose of taking screenshots of the user’s desktop”, but warned that it was not limited to screen recordings. In other words, the bug can be used to access the victim’s microphone, webcam, or capture their keystrokes, such as passwords or credit card numbers.

Share This Post