Microsoft Threat Intelligence has discovered a new variant of the XCSSET malware targeting macOS users. This sophisticated malware, first identified in 2020, is known for infecting Xcode projects and compromising developer tools. While the new variant is currently observed in limited attacks, Microsoft is urging users and organizations to take proactive steps to protect themselves.
This latest iteration of XCSSET boasts enhanced obfuscation techniques, updated persistence mechanisms, and new infection strategies. It retains the previous capabilities of the malware family, such as targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files.
“Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files,” says the report.
The new variant employs a more randomized approach for generating payloads, making it harder to detect and analyze. It also uses a combination of xxd (hexdump) and Base64 encoding, adding complexity to its obfuscation techniques.
Persistence mechanisms have been updated to ensure the malware remains active even after a system restart. The “zshrc” method involves creating a malicious file that is launched every time a new shell session is initiated. The “dock” method replaces the legitimate Launchpad’s path entry with a fake one, ensuring the malware is executed whenever the Launchpad is started.
The new XCSSET variant introduces new methods for injecting payloads into Xcode projects, including targeting specific build settings and running the payload at a later stage. This makes it more difficult to identify and remove the malware from infected projects.
Microsoft Defender for Endpoint on Mac detects XCSSET, including this latest variant. Users are advised to inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware often spreads through infected projects. Additionally, only installing apps from trusted sources can help mitigate the risk of infection.
