Remove XCSSET malware
The XCSSET malware is recently been detected to exploit the Xcode projects that leads to a rabbit hole of malicious payloads. As per the reports of Trend Micro, the malware targets the web browsers like Safari to steal various types of user data.
While analysis, the Security researchers found an unusual bugs in the developer’s project. This may also contain two zero-day vulnerabilities. Unlike usual malware that spreads directly via phishing attempts, the XCSSET make its way to the Xcode project framework. After which, it may deliver the malware using supply chain-like attacks.
Xcode is a free IDE (integrated development environment), for Mac OS to develop various apps and Apple based software. However, it is not yet known the exact way on how the XCSSET malware finds its way to the Xcode projects.
According to the experts, once the malware is embedded within the Xcode, then it runs when the project is built. So, this is how the malicious Xcode projects spread to the users.
XCSSET Malware Exploits Two Vulnerabilities Of Safari Browser
According to the Trend Micro Team,
“Presumably, these systems would be primarily used by developers” .”These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system.”
A number of impacted developers have shared their projects on GitHub, which the researchers say could result in “supply chain-like attacks for users who rely on these repositories as dependencies in their own projects.”
Once active on the target device, the malware exploits two vulnerabilities of the Safari browser.
- First of the two undiscovered zero-day vulnerability is the Safari’s data vault. The malware uses a bypass method to break the protection of the Safari’s cookies file via SSHD. The file locates in /Library/Cookies/Cookies.binarycookies.
- Secondly, the malware exploits the Safari WebKit operations. A bypass method was used to avoid the password authentication and perform malicious operations using an un-sandboxed safari browser. According to the experts, the Dylib hijacking is also possible.
The XCSSET malware attack capabilities
According to the security researcher at Trend Micro, the UXSS component within the attack chain can be used to perform various nefarious activities.
- Foremost of which is stealing user information stored within the web browsers;
- Modify browsing sessions to redirect or display any compromised website;
- Edit or replace the wallet address of crypto-currency;
- Harvest sensitive data like Apple Store credit card information;
- Steal credentials from other accounts including Apple ID, Google, Paypal, and Yandex.
- Extracts various user data from Evernote content, notes, and chats from applications like Skype, Telegram, QQ, and WeChat applications.
Not only that, the XCSSET malware is also capable to take screenshots, extract and deliver data to the hackers using command-and-control (C2) server. Additionally, the malware may also contain a ransomware module that is used for encrypting files on the system and demand ransom fee from victims.
How to Remove XCSSET From Mac (Guide)
This is a complete manual removal guide for Mac users. It consist of step-by-step removal of unwanted programs. For instance, Adware, browser hijackers, redirects, Trojans and other malware. The manual removal may take several minutes, therefore you have to patience. Please follow the steps carefully. If you are in hurry, then we suggest you to go for automatic removal solution.
(The above link will open a new page from where the Combo Cleaner will download)
To Remove XCSSET from Mac OS, follow the steps:
STEP 1: Remove Unknown Profiles Created by XCSSET Program From Mac OS
Profiles are utility that allows business or organizations to control the actions and behavior of the Mac system. Thus, any profile created by the admins will prevent the users to change them. However, adware distributes design their programs that may create new profile. As a result, it prevents user from uninstalling the adware or other malware program.
So, we first need to find out if there is any malicious profile created on the Mac. If yes, then you have to remove them.
Please follow the Steps here:
- Select System Preferences from the Apple menu;
- Within the System Preferences window, find “Profiles” icon; (If you can’t find the profile icon, it means may not have any profiles created.)
- When the “Profile” Window opens, look for the unknown profiles. To remove XCSSET fake user profile, select it and click on the – (minus) button.
- Repeat the steps to remove all unknown profiles.
STEP 2: Uninstall XCSSET /Malicious Apps From Mac OS
In this step, You need to locate for XCSSET application or unknown programs that you may not have installed yourself. Remove all such apps from your system.
- Open “Finder” application from your dock;
- In the left pane of the Finder, click on “Applications“;
- The Applications window will display the list of all apps installed on your Mac OS. Next, you need to locate the XCSSET /suspicious apps by scrolling.
- To remove XCSSET , right-click on it, and then click “Move to Trash”. (Repeat this step until you remove all such apps).
- Now you need to empty the trash as sometimes program can restore themselves from the trash. On your dock, right-click on the trash icon and then select “Empty Trash”.
STEP 3: Remove XCSSET Daemons And Agents From Mac’s Startup
- From top menu On Desktop → Choose Go→Go to Folder;
- Within the “Go To Folder” pop-up window, enter the following paths along with XCSSET .plist one by one. This will locate the malicious files created by the apps.
- /Library/Application Support
For instance, If a malicious program named XCSSET , then you may see ~/Library/LaunchDaemons/com.XCSSET .plist”, within this location. You will see lots of files with “.plist” extension. Scroll through it and find the ones which appear to be suspicious.
- ~/Library/Application Support/com.XCSSET /XCSSET
- ~/Library/Application Support/com.XCSSET Daemon/XCSSET
- ~/Library/LaunchAgents/com.XCSSET .plist
- ~/Library/LaunchDaemons/com.XCSSET Daemon.plist
- To Remove launch agents by XCSSET , right click on it and “More To Trash”.
Similarly, do this for launching agents locations: /Library/LaunchAgents/com.XCSSET .plist.
NOTE: Do not forget to empty the trash.
STEP 4: Use ComboCleaner Scan To Remove XCSSET
(The above link will open a new page from where the Combo Cleaner will download)
Combo Cleaner is a complete security suite for Mac OS that is developed by “RCS LT” company. This program is featured with anti-virus scanner and system optimization tools like disk cleaner, duplicate files finder, application uninstaller, privacy scanner, and 24*7 customer support service.
How to Install and Scan with Combo Cleaner
1. Click the above button to Download the “Combo Cleaner”;
2. Once the download completes, double-click on the downloaded file;
3. After the window opens, drag the Combo Cleaner program icon and drop it into your “Applications folder” icon.
4. Now, open your “Launchpad” and click on the “Combo Cleaner” icon.
5. This will start the combo cleaner installation and updates its latest virus definition. Once done, Combo cleaner will launch;
6. Click on “Antivirus” tab and choose the scan options like Quick, Full, and custom. (Full is recommended for the first time)
7. Let the scan be completed and it will list all the threats found. Now, click on “Remove All Threats”;
8. after removing the threats, click on the “uninstaller” to find and remove any unwanted programs. Select the program from the list and its related files and then click on “Remove Selected Items“
STEP 5: Remove Unknown extensions From Safari, Chrome, And Firefox Web Browsers
To Remove unknown Extensions, homepage redirects From Safari Browser, follow steps:
- On the Safari browser, click the “Safari” menu then select “Preferences”.
- On the “General” tab of the Safari preferences, check for XCSSET URL added as the default homepage. Within the “Homepage” field enter your preferred URL as your default start-page of the browser.
- Next, you need to check for malicious extensions, click on the “Extensions” tab on the same window.
- The “Extensions” screen will list all the extensions installed on your safari browser. You need to browse through the list and uninstall XCSSET extension or Adware. Select it and then click on “Uninstall”. Repeat the steps to remove all unwanted extensions.
Delete Safari’s preferences file to reset the default settings
Even after performing the above steps, some malicious program may reappear again. This happens because adware and browser hijackers creates new files within the preferences. Thus, they are able to replace the homepage and search engine URLs each time when user launches the Safari.
To do this, follow the below steps:
- Close the Safari browser;
- Come to normal desktop mode, now choose “Go” from the top menu then click on “Go to Folder“.
- Within the “Go to Folder: pop-up window, enter the ~/Library/Preferences/com.apple.Safari.plist path and click on GO;
- Delete the file, if found;
- Launch the Safari Again.
To Remove unknown Extensions From Chrome (Extensions, homepage redirects), follow steps:
Similarly, you need to reset the default settings of Chrome browser. In order to remove unknown extensions, search engines, startup, and new tabs.
It is better to use the default reset feature of the Google Chrome. This will reset all the unwanted modifications done by third-party programs. It should be noted that you will not lose your saved passwords and bookmarks. (Sync your Google with Account to secure them first). However, it will delete cookies, extensions, startups, URLs, homepage and new tabs preferences.
- Click on Chrome’s main menu then choose “Settings“. Scroll to the bottom of the page and click on “Advanced”;
- Under the Advanced page, go for “Reset and clean up” section. Then click on “Reset settings to their original defaults”;
- Next, click on “Reset”, when you will be prompted for a confirmation “This will reset your startup page, a new tab page, search engine, and pinned tabs. It will also disable all extensions and clear temporary data like cookies. Your bookmarks, history, and saved passwords will not be cleared”;
- Click on the “Reset Settings” button to confirm the procedure. After that, it may ask to restart your browser, click “Yes”.
Remove Chrome’s policies created by XCSSET Program
If the above reset solution does not work for you, then it may possible that the malicious programs has created policies within the chrome browser. This certainly restricts the unwanted apps, homepage and search engine settings to reset again. The Chrome polices are listed within chrome://policy URL. You can check the unwanted policies created by malicious apps. If this is the case then you need to remove them.
To reset such policies from chrome browser, follow the steps below:
- Open a Terminal window. Go to Finder → Go → Utilities → Terminal;
- Within the Terminal window, execute the following commands one by one. And press enter after each command.
defaults write com.google.Chrome HomepageIsNewTabPage -bool false defaults write com.google.Chrome NewTabPageLocation -string “https://www.google.com/” defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/” defaults delete com.google.Chrome DefaultSearchProviderSearchURL defaults delete com.google.Chrome DefaultSearchProviderNewTabURL defaults delete com.google.Chrome DefaultSearchProviderName defaults delete com.google.Chrome ExtensionInstallSources
- After executing the above commands, launch the Chrome browser again. To check the unknown policies to be removed successfully. Type “chrome://policy” within the address bar and click on “Reload policies”.
- Now, the malicious policies should be gone. After that, you can modify your homepage, new tab and search engine as per your preferences.
NOTE: Last but not the least, if the above solution also does not work for you. Then the malicious programs may have install “Managed by your organization” policy. As a consequence it restricts to remove the unknown extension or homepage even after resetting the browser.
Please follow our guide Remove “Managed by your organization” Chrome Hijack From Mac
Mozilla Firefox Browser
To Remove XCSSET Extension, homepage redirects From Mozilla Firefox Browser, follow steps:
Finally, if you have facing same issues with Firefox browser, then follow the steps to refresh it.
- Open Firefox’s Main Menu button by clicking on three horizontal lines. After that, from the drop-down menu select “Help“;
- Click on the “Troubleshooting Information,“ from the Help menu;
- From the upper-right corner of the “Troubleshooting Information” page, click on the “Refresh Firefox”.
- To confirm, click on the “Refresh Firefox” button, within the confirmation pop-up window.
- Click on the “Finish“ button.
By the time now, your Mac should free from adware and other malicious programs. Most importantly, you should always have a reliable anti-malware with real-time protection features. So, that it can trace the behaviors of unwanted program at its earliest. And quarantine it from being making serious damages.
Double Check for Malicious Files and Enable Safe Browsing Using Intego Internet Security X9
After removing persistent threat XCSSET , it is important to safe guard the browser. So that such browser hijackers may not enter to your browser like Safari, Chrome , Mozilla.
The Intego Internet security X9 not only provides real-time antivirus protection for Macs. But also scans files whenever they’re accessed to keep your Mac free of malware.
It it integrated with “Safe Browsing” feature that configures advanced browser settings that will prevent redirects to malicious or fraudulent sites, fake downloads and warn you if you visit any harmful site.