In our first blog post that covered XCSSET, we discussed its relatively unique danger to Xcode developers and the way it took advantage of two macOS vulnerabilities to maximize what it can take from an infected machine.
Our research into this incident is still ongoing, and in this blog post, we cover some other aspects of its behavior. The attached technical brief includes more details of our new findings, but to summarize, we found that:
- XCSSET is capable of taking advantage of the debug mode of other browsers, similar to the behavior seen with Safari;
- It also contains potential ransomware capabilities, although this has not been implemented
Source: Trend Micro