In April, researchers announced that malware was exploiting a previously unknown vulnerability that allowed it to "bypass macOS security defenses and run unimpeded."
More recently, the same researchers found evidence that the XCSSET malware was exploiting another vulnerability to access parts of macOS that normally require permission. Hackers can access the microphone and the webcam and record the screen without authorization.
Trend Micro discovered XCSSET malware in 2020 when it was used to target Apple developers, particularly their Xcode projects coding and building apps. After hackers infected the app development projects, developers unknowingly distributed the malware to users.
XCSSET malware is continually being developed and recent variants target Macs running the newer M1 chip.
Once it has infected a computer, the malware uses one zero-day to steal cookies from the Safari browser to access the victim's online accounts. It uses another zero-day to covertly install a development version of Safari so that the hackers can modify and spy on almost any website. It exploits a third previously unknown zero-day to secretly take screenshots.
The malware bypasses the permission prompt that macOS normally sends before allowing apps to record the screen, access the microphone and webcam, or open the user's storage.
The malware also searches for and infects other apps on the victim's computer that are frequently granted screensharing permission, such as Zoom, WhatsApp, and Slack. The malware is then able to "piggyback" on the legitimate app and use its permissions across macOS. It even signs a new certificate to the new app bundle to avoid detection by macOS's built-in cybersecurity.
According to the researchers who discovered the malware, the hackers are currently only using it to take screenshots of the victim's desktop. However, its capabilities would allow them to access the victim's microphone or webcam or capture keystrokes to steal passwords and credit card numbers.
Apple recently confirmed that it has fixed the bug in macOS 11.4 that allowed the malware to infect devices. Apple made the patch available as an update in May 2021. Zack Whittaker "Malware caught using a macOS zero-day to secretly take screenshots" techcrunch.com (May 24, 2021).