Article Details

Microsoft spots XCSSET macOS malware variant used for crypto theft. A new variant of the XCSSET macOS modular malware has emerged in attacks that target users' sensitive information, including digital wallets and data from the legitimate Notes app. The malware is typically distributed through infected Xcode projects. It has been around for at least five years and each update represents a milestone in XCSSET's development. The current improvements are the first ones observed since 2022. Microsoft's Threat Intelligence team identified the latest variant in limited attacks and says that compared to past XCSSET variants, the new one features enhanced code obfuscation, better persistence, and new infection strategies. In May 2021, Apple fixed a vulnerability that was actively exploited as a zero-day by XCSSET, an indication of the malware developer's capabilities. New XCSSET variant in the wild Microsoft warns today of new attacks that use a variant of the XCSSET macOS malware with improvements across the board. Some of the key modifications the researchers spotted include: For the zshrc persistence method, the new XCSSET variant creates a file named ~/.zshrc_aliases that contains the payload and appends a command in the ~/.zshrc file. This way, the created file launches whenever a new shell session starts. For the dock method, a signed dockutil tool is downloaded from the attacker's command-and-control (C2) server to manage dock items. XCSSET then creates a malicious Launchpad application with the payload and changes the legitimate app's path to point to the fake one. As a result, when the Launchpad in the dock starts, both the genuine application and the malicious payload are executed. Xcode is Apple's developer toolset that comes with an Integrated Development Environment (IDE) and allows creating, testing, and distributing apps for all Apple platforms. An Xcode project can be created from scratch or built based on resources downloaded/cloned from various repositories. By targeting them, XCSSET's operator can reach a larger pool of victims. XCSSET has multiple modules to parse data on the system, collect sensitive information, and exfiltrate it. The type of data targeted includes logins, info from chat applications and browsers, Notes app, digital wallets, system information and files. Microsoft recommends inspecting and verifying Xcode projects and codebases cloned from unofficial repositories, as those can hide obfuscated malware or backdoors.