A new variant of the XCSSET macOS malware has emerged, targeting macOS users and developers in limited attacks, according to Microsoft’s threat researchers. This version builds upon its predecessors, known for stealing information and injecting backdoors.
New XCSSET macOS malware variant targets developers and users
XCSSET malware typically spreads through compromised Xcode projects, which contain files and settings used in app development with Apple’s integrated development environment (IDE). The malware has been a persistent threat for several years, previously exploiting zero-day vulnerabilities for malicious activities, such as taking screenshots and stealing browser cookies. The current variant can also collect data from apps like Notes, exfiltrate system files, and target digital wallets while employing enhanced obfuscation techniques that complicate analysis.
The malware now incorporates new infection and persistence techniques. Microsoft’s researchers noted that it can place its payload in an Xcode project using methods such as TARGET, RULE, or FORCED_STRATEGY. It can also insert the payload within the TARGET_DEVICE_FAMILY key in build settings, executing it at a later phase. The persistence mechanisms include creating a file named ~/.zshrc_aliases that launches the payload with each new shell session, and downloading a signed dockutil tool from a command-and-control server to manage dock items.
By creating a fake Launchpad application and redirecting the legitimate application’s path in the dock, XCSSET ensures that both the real and malicious payloads execute whenever the Launchpad is launched. This distributed method allows the malware to stealthily affect a broader range of victims.
This Steam game is full of malware: Did you download it?
Microsoft reported that the recent findings represent the first major update to XCSSET since 2022, highlighting significant improvements in code obfuscation, persistence methods, and infection strategies. Researchers advise developers to carefully inspect and verify any Xcode projects cloned from unofficial sources, as malicious elements may be hidden within.
XCSSET is recognized as sophisticated modular malware targeting macOS users by compromising Xcode projects. Initially documented in August 2020 by Trend Micro, XCSSET has adapted to compromise newer macOS versions and Apple’s M1 chipsets. Earlier iterations had also demonstrated the capability to extract data from various applications, including Google Chrome, Telegram, and Apple’s own apps like Contacts and Notes.
In mid-2021, new features of XCSSET included exploiting a zero-day vulnerability, specifically CVE-2021-30713, to take screenshots without proper permissions. The origins of this malware remain unknown, with the latest findings emphasizing its continued evolution and the persistent threats it poses to macOS users.
Featured image credit: Ales Nesetril/Unsplash
