



Almost exactly a month ago, researchers revealed that a family of infamous malware exploited an unprecedented vulnerability that could bypass macOS’s security defenses and run unimpeded. .. Currently, some of the same researchers say that another vulnerability could allow another malware to infiltrate a macOS system.

Jamf said it found evidence that the XCSSET malware could exploit the vulnerability to access parts of macOS that require permission without consent, such as microphones, webcam access, screen recordings, etc. I am.

XCSSET was first discovered by Trend Micro in 2020 for Apple developers, especially the Xcode project used to code and build apps. By infecting these app development projects, developers unknowingly distribute malware to their users. This is what Trend Micro researchers describe as a “supply chain-like attack.” The malware is being developed continuously, and recent variants are also targeting Macs running the new M1 chip.

When the malware runs on the victim’s computer, it uses two zero-day attacks to steal cookies from the Safari browser, access the victim’s online account, and quietly install the development version of Safari. , Attackers modify or snoop virtually any website.

However, Jamf states that the malware was exploiting a previously undiscovered third zero-day attack to secretly take screenshots of the victim’s screen.

macOS is supposed to ask the user for permission before recording the screen, accessing the microphone or webcam, or opening the user’s storage with malicious apps or other means. However, the malware sneaked under the radar by inserting malicious code into a legitimate app, bypassing its permission prompt.

Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner wrote in a blog post shared with TechCrunch that the malware is on the computers of victims with frequent screen sharing privileges such as Zoom, WhatsApp, and Slack. I explained that I would search for and insert other apps above. Malicious screen recording code for those apps. This allows malicious code to “piggy back” legitimate apps and inherit their permissions across macOS. The malware then signs the new app bundle with the new certificate to prevent it from being flagged by macOS’s built-in security defenses.

Researchers said the malware used permission prompt bypass “especially to take screenshots of users’ desktops,” but warned that it wasn’t limited to screen recordings. In short, this bug could have been used to access the victim’s microphone or webcam, or to capture keystrokes such as passwords and credit card numbers.

It is not clear how many Macs could be infected with malware using this technique. However, Apple has confirmed to TechCrunch that it has fixed a bug in macOS 11.4 that is available as an update today.

