Microsoft’s threat researchers have identified a new and improved variant of the XCSSET macOS malware, which is currently being used in limited attacks. XCSSET is a type of malware that targets Mac users, stealing information and injecting backdoors into their systems. This particular malware is typically distributed through infected Xcode projects, which are essential components of apps or frameworks created using Apple’s Xcode development environment.
Over the years, XCSSET has evolved and employed various tactics, including exploiting zero-day vulnerabilities to carry out malicious activities. The malware is equipped with the ability to capture screenshots, steal browser cookies and other sensitive data, as well as extract information from popular apps like Telegram, WeChat, and Evernote. The newly discovered variant identified by Microsoft researchers has expanded its capabilities to include data theft from the Notes app, exfiltration of system information and files, and targeting digital wallets. Additionally, the malware has been enhanced with advanced obfuscation techniques to make it more difficult to analyze.
One of the key characteristics of XCSSET is its targeted approach towards a specific group of macOS users – software developers. Trend Micro researchers have described the distribution method of this malware as sophisticated, whereby affected developers unknowingly spread the malicious trojan through compromised Xcode projects. Traditional verification methods, such as checking file hashes, are rendered ineffective as developers are unaware that they are disseminating harmful files.
The latest variant of XCSSET introduces new infection and persistence techniques, as uncovered by Microsoft researchers. The malware now employs innovative methods for placing its payload within a target Xcode project, such as utilizing the TARGET, RULE, or FORCED_STRATEGY options. Moreover, the malware has adopted new persistence mechanisms, including creating a file called ~/.zshrc_aliases to house the payload and executing it upon the initiation of each new shell session. Additionally, XCSSET downloads a signed dockutil tool from a command-and-control server to manipulate dock items, generates a counterfeit Launchpad application, and replaces the legitimate Launchpad’s path entry with the fake one. Consequently, every time the Launchpad is accessed from the dock, both the real and malicious Launchpad instances are executed.
It is essential for developers to exercise caution when downloading or cloning Xcode projects from online repositories, websites, or developer communities. Even projects sourced from trusted individuals should undergo scrutiny, as they may unwittingly contain malware. Staying vigilant and implementing security measures can help mitigate the risks associated with XCSSET and other similar threats targeting macOS users.