Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated modular macOS malware that targets Xcode projects. The malware was found in the wild during routine threat hunting and is the first known XCSSET variant to surface since 2022.
This new version of XCSSET features stronger obfuscation methods, updated techniques to maintain persistence on infected machines, and new ways of infecting systems. These improvements help the malware steal and exfiltrate files, as well as sensitive system and user information, including digital wallet data and personal notes.
XCSSET is designed to infect Xcode projects and executes when a developer builds the project. Since Xcode is widely used by Apple and macOS developers, Microsoft believes the malware spreads by taking advantage of shared project files among developers. While this variant shares some traits with older versions, it introduces a more modular structure and encoded payloads.
Harder to Find and Remove
It also features better error handling and relies heavily on scripting languages, UNIX commands, and legitimate system binaries to fly under the security radar. In some instances, it can even operate without leaving files on disk, making it trickier to find and remove.
At the code level, the malware hides the names of its modules to prevent analysts from easily understanding its functions. It also uses more advanced obfuscation, such as randomizing how payloads are created and encoded when infecting Xcode projects. Unlike earlier variants that used only xxd (hexdump) for encoding, the latest XCSSET also uses Base64.
The malware uses three different persistence methods to ensure it continues running: it launches when a new shell session starts, when a user opens a fake Launchpad app, or when a user makes commits in Git. Additionally, it introduces a new tactic for embedding its malicious payload directly into targeted Xcode projects.
Microsoft’s investigation also found that some parts of the malware appear to be still under development. Its command-and-control (C2) server was active at the time Microsoft released its report and was distributing additional modules.
Microsoft advises developers and security teams to remain vigilant and monitor their Xcode projects and environments for suspicious activity.
An Uptick in macOS Attacks
Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck says there has been an uptick in sophisticated attacks against macOS systems and this latest malware is another example.
“The techniques seen in this malware show that the developers spent a considerable amount of time researching ways to remain undetected. Gone are the days where macOS users could operate without installing anti-virus or EDR software. To prevent these attacks from spreading, users of Xcode should make sure their endpoint protection software is up to date and run scans to determine if they’ve been infected or not.”
A Serious Threat to Apple Developers
This new XCSSET variant represents a serious threat to Apple developers, with its enhanced ability to hide within Xcode projects and spread when these projects are shared between teams, adds J Stephen Kowski, Field CTO at SlashNext.
“This sophisticated attack targets the software supply chain at its source, potentially compromising apps before they’re even built, with the malware’s improved obfuscation techniques and multiple persistence methods making it particularly difficult to detect. Real-time code scanning and advanced threat detection tools that can identify suspicious behaviors in development environments are essential for protecting against these types of attacks,” Kowski adds.
He advises developers to implement multi-layered security approaches that include continuous monitoring of project files for unexpected changes and strict verification of all code sources before integration.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.