Microsoft Threat Intelligence has recently revealed the presence of a new variant of XCSSET, a sophisticated macOS malware that specifically targets users by infecting Xcode projects. This latest variant, although observed in limited attacks, poses a significant threat to macOS users and developers due to its enhanced capabilities.
Originally identified by Trend Micro in 2020, XCSSET gained notoriety for its ability to compromise Xcode projects, enabling it to execute malicious code whenever a developer built an infected project. The malware utilized zero-day vulnerabilities to bypass macOS security protections, steal sensitive information, and perform unauthorized operations. Over time, XCSSET has evolved, incorporating new techniques to persist and evade detection.
The newest update to XCSSET, reported as the first since 2022, introduces improved obfuscation, updated persistence mechanisms, and new infection techniques that make it more difficult to detect and remove. This version employs a more randomized approach to generating payloads for Xcode projects and includes Base64 encoding in addition to the previously used xxd (hexdump) encoding. The randomization of encoding techniques and iterations, along with the obfuscation of module names at the code level, adds complexity to reverse engineering and analysis.
In terms of persistence, the new variant utilizes two distinct methods: the “zshrc” method and the “dock” method. The “zshrc” method involves creating a file containing the payload and appending a command to ensure its execution with every new shell session. On the other hand, the “dock” method downloads a signed tool from a command-and-control server to manage dock items, executing the payload alongside a fake Launchpad application each time the legitimate Launchpad is initiated.
Additionally, the latest variant of XCSSET introduces new infection techniques, offering multiple options for embedding the payload into an Xcode project. These techniques include utilizing the TARGET, RULE, or FORCED_STRATEGY options and placing the payload within the TARGET_DEVICE_FAMILY key under build settings for execution during a later phase of development.
In terms of mitigation and detection, Microsoft Defender for Endpoint on Mac is equipped to detect XCSSET, including this latest variant. It is advised for developers and macOS users to remain vigilant by thoroughly inspecting and verifying any Xcode projects obtained from repositories. Moreover, users should only install applications from trusted sources, such as official app stores, to minimize the risk of infection.
As XCSSET continues to evolve, security researchers emphasize the necessity of proactive cybersecurity measures to safeguard against this persistent and adaptable malware. With the increasing sophistication and capabilities of XCSSET, staying informed and implementing robust security practices are crucial for maintaining the integrity and security of macOS systems and projects. Stay vigilant and protect your digital assets against evolving threats like XCSSET.