Microsoft has identified a new variant of the XCSSET malware, a significant threat to the macOS platform, which has been used in a limited number of attacks targeting Apple developers. This fresh version of the malware has the potential to spread to a broader range of targets in the coming weeks.

The XCSSET malware is capable of reading and dumping data from Safari browsers, injecting JavaScript backdoors into websites, stealing information from various apps, taking screenshots, encrypting files, and exfiltrating data to attacker-controlled systems. This new variant features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies, making it a more formidable threat.
According to Microsoft Threat Intelligence, this is the first known update to the malware since 2022, and it was revealed in a post on X this week.

The post highlights that “these enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files.”

XCSSET was first discovered by researchers at Trend Micro in 2020, and it has been targeting software developers by exploiting vulnerabilities and infecting their projects. This allows the malware to spread to other developers who download and build the infected projects, potentially leading to a broader supply chain attack.

Significant Enhancements to macOS Malware

This new variant of XCSSET appears to be a significant update, with various new features that make it easier for attackers to spread the malware and obscure their malicious activities.

The enhanced obfuscation methods used by XCSSET employ a significantly more randomized approach for generating payloads to infect Xcode projects, randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

The malware also incorporates Base64 and obfuscates module names, making it more challenging to determine the intent of the malware’s modules. Additionally, the operators of the malware have implemented two distinct new persistence mechanisms: the “zshrc” method and the “dock” method.

The “zshrc” method involves creating a file named ~/.zshrc_aliases that contains the payload, which is then launched every time a new shell session is initiated, guaranteeing the malware’s persistence across shell sessions.

The “dock” method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad’s path entry in the dock with this fake one.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects, making it easier for attackers to spread the malware.

Advice for macOS Cyber Defenders

Although macOS has traditionally not been a primary target for threat actors, the platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple’s growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users “always inspect and verify any Xcode projects downloaded or cloned from repositories” that potentially will spread the malware.

Developers and users should also only install apps from trusted sources, such as a software platform’s official app store, according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, as it can detect all currently known versions of the malware.