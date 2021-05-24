



A malicious hacker is exploiting a completely updated version of a vulnerability in macOS that allows you to take screenshots on an infected Mac without first obtaining the victim’s permission.

The zero-day attack was exploited by XCSSET, a malware discovered by security firm Trend Micro last August. XCSSET used two zero-day attacks of the time to infect Mac developers with browser cookie and file-stealing malware. Injected a backdoor into the website. Stealing information from Skype, Telegram, and other installed apps. I took a screenshot. Viewed encrypted files and ransom notes.

Third zero day

The infection occurred in the form of a malicious project created by an attacker for Xcode. Xcode is a free tool available to Apple for developers creating apps for macOS or other Apple OS. According to Trend Micro, malicious code runs on the developer’s Mac as soon as one of the XCSSET projects is opened and built. An Xcode project is a repository of all the files, resources, and information you need to build your app.

In March, SentinelOne researchers discovered a new Trojanized code library that installs XCSSET surveillance malware on developers’ Macs.

On Monday, researchers at Jamf, a security provider for Apple enterprise users, said XCSSET is exploiting a zero-day that wasn’t detected until recently. This vulnerability exists in the Transparency Consent and Control framework and is explicit before installed apps gain system privileges to access hard drives, microphones, cameras and other privacy and security sensitive resources. User privileges are required.

XCSSET exploited this vulnerability and was able to bypass TCC protection and take screenshots without the need for user permission. Apple fixed CVE-2021-30713 (because the vulnerability has been tracked) in the release of macOS 11.4 on Monday.

The vulnerability was the result of a logical error that allowed XCSSET to hide in the directory of installed apps that already have permission to take screenshots. This exploit allowed the malware to inherit screenshot permissions and other privileges controlled by the TCC.

Piggyback on the parent app

In an interview, Jamf researcher Jaron Bradley said that some developers are designing applications with small applications inside. This is not unheard of. However, there seems to be a bug in the operating system logic as to how TCC privileges are handled in such situations.

To find out which apps XCSSET could piggyback on, the malware checked screen capture permissions from the list of installed applications.

As expected, Bradley wrote in a post that the list of target application IDs is all applications that users regularly grant screen sharing privileges as part of their normal operation. The malware then uses the command line-based version of Spotlight with the following mdfind command to see if the appID is installed on the victim’s device.

In the post, I explained how the AppleScript flow that caused the exploit worked.

The XCSSET AppleScript screenshot module is downloaded (in the ~ / Library / Caches / GameKit folder) from the malware author’s command and control (C2) server. Using the osacompile command, the screenshot module is converted to an AppleScript-based application called avatarde.app. When AppleScript is compiled this way, an executable file called an applet is placed in the newly created application bundle / Contents / MacOS / directory, and the script that the applet runs is in /Contents/Resources/Scripts/main.scpt. There is. Then the newly created Info.plist is modified by the plutil binary and the configuration setting LSUIElement is changed to true. This allows you to run your application as a background process and hide its presence from users. Then a blank icon is downloaded and applied to your application. Finally, the newly created application is placed inside an existing donor application using the following code.

For example, if the virtual conferencing application zoom.us.app is found on the system, the malware deploys itself as follows:

/Applications/zoom.us.app/Contents/MacOS/avatarde.app

If the victim’s computer is running macOS 11 or later, sign the avatar application using an ad hoc signature, or a signature signed by the computer itself.

Once all the files are in place, the custom application piggybacks from the parent application (Zoom in the example above). This means that malicious applications can take screenshots and record screens without the explicit consent of the user. It fully inherits these TCC permissions from the Zoom parent app. This represents a significant privacy concern for end users.

During Jamfs testing, it was discovered that this vulnerability was not limited to screen recording permissions. Multiple different permissions already provided to the donor application can be transferred to a maliciously crafted app.

As Apple has fixed this vulnerability, TCC works as Apple intended and a dialog message asking the user to open System Preferences to allow the app or click the veto button that appears in the pop-up. It is displayed.

XCSSET can’t infect your Mac unless you’re running a malicious Xcode project. This means that people are unlikely to get infected unless they are the developers who used one of the projects. Jamf’s post provides an infringement list indicator that you can use to determine if you have been infected.

