Last year, Trend Micro discovered a new variant of the XCSSET malware program spread via infected Xcode projects. The malware itself was stopped, but security researchers missed a vulnerability in macOS that was exploited by it; this has now been patched by Apple in macOS 11.4.
Jamf has reviewed the flaw, and the innovative way in which it was exploited. It turns out that the part of the malware that bypasses macOS security features and infects the Mac is written in AppleScript, and actually exploited no fewer than three flaws.
The malware first takes advantage of the fact that AppleScript can run Terminal commands, including downloading data with the curl command, to retrieve the program code itself, which can then take screenshots and cause other nuisances. Then it bypasses the Gatekeeper by looking for a program you've already given permission to take screenshots.
Apple has fixed the bugs in macOS 11.4 by, among other things, ensuring that one program that is inside another no longer inherits the host program's permission.
This article originally appeared on Macworld Sweden. Translation by David Price.