A new variant of the notorious XCSSET MacOS malware has been identified by Microsoft, signaling a potential resurgence of this threat. This sophisticated malware, known for targeting Apple's Xcode projects, has been observed in limited attacks, prompting Microsoft to share this information to help users and organizations safeguard against it.

Background of XCSSET Malware

First discovered in 2020, XCSSET malware exploits zero-day vulnerabilities to infiltrate systems. It typically injects malicious code into Xcode projects, Apple's integrated development environment for macOS, and can implant backdoors in Apple services like Safari. The malware's capabilities include targeting digital wallets, collecting data from apps such as Evernote, Notes, Skype, Telegram, QQ, and WeChat, and exfiltrating system information and files. Additionally, XCSSET can take screenshots, encrypt files, and display ransom notes.

New Features in the Latest XCSSET Variant

The latest variant of XCSSET, detected by Microsoft, showcases enhanced obfuscation techniques, updated persistence mechanisms, and novel infection strategies. This version employs a more randomized approach for creating payloads, using both Base64 and xxd (hexdump) for encoding, with varying iterations to evade detection. The module names are obfuscated at the code level, complicating the identification of their functions.

Advanced Infection Techniques

  • Zshrc Method: This technique involves creating a file named ~/.zshrc_aliases containing the payload, which is then executed every time a new shell session starts, ensuring persistence.
  • Dock Method: The malware downloads a signed dockutil tool from a command-and-control server to manage dock items, replacing the legitimate Launchpad path with a fake application to execute the malicious payload alongside the genuine Launchpad.

New Payload Placement Strategies

The new variant introduces innovative methods for embedding the payload within a target Xcode project. The techniques include TARGET, RULE, and FORCED_STRATEGY, with an additional method placing the payload inside the TARGET_DEVICE_FAMILY key under build settings, executed in the latter phase.

The link has been copied!