Microsoft has identified a new variant of the known XCSSET malware targeting Apple macOS, which has been found in limited attacks in the wild.
According to the Microsoft Threat Intelligence team, this latest version of XCSSET, the first known variant since 2022, incorporates enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The team said in a post on X.
These new features build upon the malware’s existing capabilities, which include targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files.
XCSSET is a sophisticated, modular macOS malware known for infecting Apple Xcode projects. It was first documented by Trend Micro in August 2020.
In subsequent iterations, the malware has adapted to compromise newer versions of macOS, as well as Apple’s own M1 chipsets. By mid-2021, it had been updated to exfiltrate data from various apps, including Google Chrome, Telegram, Evernote, Opera, Skype, WeChat, and Apple’s first-party apps, such as Contacts and Notes.
A report from Jamf around the same time revealed the malware’s ability to exploit CVE-2021-30713, a Transparency, Consent, and Control (TCC) framework bypass bug, as a zero-day to take screenshots of the victim’s desktop without requiring additional permissions.
Over a year later, it was updated again to support macOS Monterey. The origins of the malware remain unknown as of writing.
The latest findings from Microsoft mark the first major revision since 2022, utilizing improved obfuscation methods and persistence mechanisms aimed at challenging analysis efforts and ensuring the malware launches every time a new shell session is initiated.
XCSSET also establishes persistence by downloading a signed dockutil utility from a command-and-control server to manage dock items.
“The malware then creates a fake Launchpad application and replaces the legitimate Launchpad’s path entry in the dock with this fake one,” Microsoft explained. “This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed.”
