Mac Malware ‘XCSSET’ Adapted for Devices With M1 Chips
An increasing number of Mac malware developers have started creating variants that are specifically designed to run on devices powered by Apple’s M1 chip.
Apple unveiled its M1 system-on-chip in November 2020 and the first malware created specifically for systems with the arm64 CPU architecture used by the M1 was apparently created in December. This was a variant of Pirrit, a piece of adware that has been around for several years.
A few days after the existence of this Pirrit variant came to light, managed detection and response firm Red Canary reported identifying a mysterious piece of Mac malware that had infected tens of thousands of devices around the world. This malware, named Silver Sparrow, also had a variant specifically designed for M1 systems.
Kaspersky reported on Friday that it too has spotted a piece of malware with a variant compiled for devices with M1 chips, specifically a variant of the malware known as XCSSET.
XCSSET is a mysterious piece of malware first detailed by Trend Micro and Mac security company Intego in August 2020. It does not appear to have been linked to any known threat group or activity, but a majority of infections spotted at the time were in China and India.
The malware is designed to allow its operator to launch ransomware attacks (i.e. encrypt files and display a ransom note), and steal information from infected devices, including data associated with the Evernote, Skype, Notes, QQ, WeChat, and Telegram apps.
XCSSET spreads through code injected into projects for Xcode, Apple’s integrated development environment. The payload is executed when the project is built.
Kaspersky has seen an XCSSET sample compiled for the arm64 architecture. This sample was uploaded to the VirusTotal malware analysis service on February 24, which has led the company’s researchers to believe that the campaign is likely still ongoing.
Kaspersky noted that in many cases Mac malware is delivered in the Mach-O format, which includes the malicious code compiled for several architectures — depending on what type of device the malware lands on, the code corresponding to that architecture is executed.
“With the new M1 chip, Apple has certainly pushed its performance and energy saving limits on Mac computers, but malware developers kept an eye on those innovations and quickly adapted their executables to Apple Silicon by porting the code to the ARM64 architecture,” Kaspersky researchers wrote in a blog post.
They added, “We have observed various attempts to port executables not just among typical adware such as Pirrit or Bnodlero samples, but also among malicious packages, such as the Silver Sparrow threat and XCSSET downloadable malicious modules. This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.”