By the time Apple patched a zero-day vulnerability in macOS 11.4 that bypasses the Transparency Consent and Control (TCC) framework, it was being exploited by attackers using XCSSET malware.
Jamf researchers dissecting the malware and its exploitations uncovered the bypass, which attackers can use to hijack resources like webcams and microphones used in virtual meetings that applications can access. The researchers had first noticed a substantial increase in the number of XCSSET variants in play.
In this case, XCSSET actors were taking screenshots of user desktops – no additional permissions required. Jaron Bradley, manager, macOS detections at Jamf, said in a Tuesday blog post that the bypass could expose any personal information users have stored on their desktops. And potential attackers could gain camera access without permission, as well as being able to record screens.
Bradley said the exploit “is a local exploit that allowed the malware to take pictures of the victim’s screen without requiring approval from the user. It would do this by placing a malicious screen capture application within the folder of an existing application that already held the permissions to do so.”
The malware is written in AppleScript, making it easier for hackers to gain control over script-enabled Mac apps.
“Much of the time, the malware author leverages AppleScript in their attack chain due to the way it handles many bash commands, even downloading and/or executing Python scripts in an effort to obfuscate their intentions through a confusing use of various scripting languages,” Bradley noted in the blog post.
He called out one of the most noteworthy features of the malware – reportedly it was using two zero-day exploits. The first exploit was used to grab Safari browser cookies. Those cookies are safeguarded by system integrity protection. “The second was used to bypass prompts in order to install a developer version of the Safari application,” the blog noted. But a deeper dive showed it had been exploiting this third zero-day to get around Apple’s TCC framework.
While analyzing the malware, Jamf’s protect detection team discovered an AppleScript module named “screen_sim.applescript,” which included a check called “verifyCapturePermissions,” which takes an application ID as an argument, and is derived from an earlier check of the software appID’s, “donorsApps.”
“By looking at the log comment alone, it seems as though the malicious AppleScript is searching for an application that has permissions to capture a screenshot,” the researchers wrote. “Not only that, but it celebrates upon successfully locating such an app.”
All the app IDs targeted are for apps to which users regularly give screen sharing permission. Using a mdfind command — the command-line-based version of Spotlight — the malware sees if the appIDs are on the victim’s device.
If they are, “the command returns the path to the installed application,” and the malware uses that information to create a custom AppleScript app that’s then injected into the installed donor application.
Once the files are in place, the custom application piggybacks off of the parent application. “This means that the malicious application can take screenshots or record the screen without needing explicit consent from the user,” the Jamf blog said.
Researchers found the vulnerability wasn’t confined to screen recording permissions and noted that the multiple permissions already provided to the donor application can be transferred to the malicious app.
Bradley said the malware authors’ primary objective “isn’t 100% known” at this point. “The backdoor is built with a number of different capabilities,” he said, but their interest seems to be varied. “Some are designed to spy on the user, some focus on the theft of personal files and some focus on ransomware functionality.”
Security and IT teams should use be on the lookout for suspicious updates to well-known app bundles, Bradley said. And, of course, he repeated a familiar refrain. “First and foremost, prioritize patching to eliminate the risk as soon as an update is available,” he said.