Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects. While the latest variant has only been observed in limited attacks, security researchers warn that its enhanced capabilities make it a significant threat to macOS users and developers.
A Persistent Threat Since 2020
First identified by Trend Micro in 2020, XCSSET initially gained infamy as it was able to compromise Xcode projects, which allowed it to execute malicious code whenever a developer built an infected project. The malware leveraged zero-day vulnerabilities to slip past macOS security protections, steal sensitive information, and execute unauthorized operations. Over the years, XCSSET has evolved, incorporating new techniques to maintain persistence and evade detection.Enhanced Evasion Tactics, Obfuscation
According to the software giant, this is the first known update to XCSSET since 2022. The latest variant features improved obfuscation, updated persistence mechanisms, and new infection techniques that make it harder to detect and remove. This latest XCSSET variant employs a more randomized approach to generating payloads for Xcode projects, and unlike previous versions that relied solely on xxd (hexdump) for encoding, the latest iteration incorporates Base64 encoding. Furthermore, its encoding technique and the number of encoding iterations are randomized, making reverse engineering more challenging. Complicating the analysis further, it obfuscates module names at the code level, making it tricky to determine their intent.Updated Persistence Mechanisms
The new variant uses two distinct techniques for persistence: the “zshrc” method and the “dock” method.- Zshrc Method: The malware creates a file named ~/.zshrc_aliases containing the payload and appends a command to the ~/.zshrc file. This ensures that the payload is executed every time a new shell session starts, allowing the malware to persist across sessions.
- Dock Method: The malware downloads a signed dockutil tool from a command-and-control (C2) server to manage dock items. It then creates a fake Launchpad application, replacing the legitimate Launchpad’s path in the dock. Every time the Launchpad is started, both the real Launchpad and the malicious payload are executed.
New Infection Techniques
The new variant introduces additional methods for embedding its payload into an Xcode project. The malware selects from different options, including TARGET, RULE, or FORCED_STRATEGY. It can also place the payload inside the TARGET_DEVICE_FAMILY key under build settings, executing it at a later phase of the development process.Mitigation and Detection
Microsoft Defender for Endpoint on Mac detects XCSSET, including this latest variant. Developers and macOS users are urged to be vigilant by scrutinizing and verifying any Xcode projects downloaded or cloned from repositories. Also, users should only install applications from trusted sources, such as official app stores, to minimize the risk of infection. As XCSSET continues to evolve, security researchers stress the importance of proactive cybersecurity measures to guard against this persistent and adaptable malware
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.