MacOS malware XCSSET is reportedly re-emerging under a new variant, according to Microsoft.
In a new social media post published on February 17, Microsoft Threat Intelligence said it had detected a new variant of XCSSET. This sophisticated modular malware targets users by infecting Xcode projects, Apple’s integrated development environment (IDE) for macOS.
This is the first publicly observed new variant of XCSSET since 2022.
“While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information so users and organizations can protect themselves against this threat,” the advisory said.
History of XCSSET Malware
First identified in 2020, the XCSSET malware is typically deployed by exploiting zero-day vulnerabilities.
It then inserts malicious code into Xcode projects and sometimes implants backdoors in Apple products and services like Safari.
It features a range of capabilities including targeting of digital wallets.
The malware is capable of collecting data from several apps, including Evernote, Notes, Skype, Telegram, QQ and WeChat, as well as exfiltrating system information and files.
XCSSET can also take screenshots of the user’s current screen, encrypt files and display a ransom note.
New Features in Latest XCSSET Variant
This latest variant discovered by Microsfot features enhanced obfuscation methods, updated persistence mechanisms and new infection strategies.
The variant employs a much more randomized method for creating payloads to infect Xcode projects. Both the encoding technique and the number of encoding iterations are randomized.
Additionally, while previous XCSSET variants only used xxd (hexdump) for encoding, the latest version also incorporates Base64.
The variant’s module names are obfuscated at the code level, making it more difficult to discern the modules’ purposes.
The new XCSSET variant also employs two distinct techniques: the “zshrc” method and the “dock” method.
In the zshrc method, the malware creates a file named ~/.zshrc_aliases, which contains the payload. It then appends a command in the ~/.zshrc file to ensure the created file is launched every time a new shell session is initiated, guaranteeing the malware’s persistence across shell sessions.
The dock method involves downloading a signed dockutil tool from a command-and-control server to manage the dock items. The malware then creates a fake Launchpad application and replaces the legitimate Launchpad’s path entry in the dock with this fake one. This guarantees that each time the Launchpad is launched from the dock, both the genuine Launchpad and the malicious payload are executed simultaneously.
Finally, the new XCSSET variant introduces new methods for where the payload is placed in a target Xcode project.
The technique is chosen from one of the following options: TARGET, RULE, or FORCED_STRATEGY.
An additional method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it in the latter phase.
