XCSSET Mac Malware Designed To Steal Cryptocurrency Can Now Infect Apple M1 Systems

Apple MacBook Air with M1 Silicon
No platform is 100 percent secure, and lest anyone need reminding of that, a Mac malware campaign with Xcode developers in its sights has been modified to infect systems outfitted with Apple's fancy new M1 silicon. The end goal of this particular malware is to rob Mac uses of their cryptocurrencies, by stealing login information related to cryptocurrency apps.

The malware is called XCSSET, and it gained prominence in August 2020, when Trend Micro warned of its existence.

"This scenario is quite unusual; in this case, malicious code is injected into local Xcode projects so that when the project is built, the malicious code is run. This poses a risk for Xcode developers in particular. The threat escalates since we have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects," Trend Micro wrote at the time.

Xcode is Apple's integrated development environment (IDE) for macOS, which developers use to make apps for Mac systems, iOS devices, and various other Apple products. XCSSET has been able to spread by modifying Xcode projects, at which point they would execute a malicious payload. On an infected system, XCSSET has various capabilities, such as taking screenshots, stealing login details, swiping user data from apps, and more.

Last month, security researchers at Kaspersky found a new strain of XCSSET designed to infiltrate Apple M1 systems. This means the culprits are conducting an ongoing and evolving campaign, and are finding ways to natively infect Apple's latest silicon. At the time, there was no mention of the malware taking aim at cryptocurrency theft.

XCSSET malware setup
Credit: Trend Micro

That has now changed. In a recent blog post, Trend Micro says it has XCSSET has adapted itself to work on both ARM64 and x86_x64 Macs, with an eye towards cryptocurrency.

"For cryptocurrency trading platform Huobi, the malware not only steals account information but is now able to replace the address in a user’s cryptocurrency wallet—a new feature that did not exist in the previous version," Trend Micro says.

That's not really surprising, given the continued interest in cryptocurrency. It's only going to get bigger, with PayPal today having announced that its more than 70 million Venmo users can now buy, sell, and hold onto Bitcoin, Ethereum, Litecoin, and Bitcoin cash right from within the Venmo app.

So what can Mac users do? Trend Micro's advice is to "only download apps from official and legitimate marketplaces." And of course it recommends a multi-layered security solution, including the use of its own security software.