Key Takeaways:
- Microsoft has identified a new variant of XCSSET malware that targets Apple developers through infected Xcode projects.
- The malware employs new mechanisms to maintain persistence and execute malicious payloads stealthily.
- Microsoft advises developers to inspect all Xcode projects before use, as the malware exploits trust in shared code.
Microsoft has discovered a new variant of XCSSET, a sophisticated macOS malware family that has targeted users since at least 2020. The company has observed that this malware is now deploying advanced tactics to specifically target Apple developers in ongoing attacks.
The XCSSET malware was first spotted by security firm Trend Micro back in 2020. This malware initially spread through infected Xcode projects, which is a free development tool provided by Apple. This malware allows attackers to exploit zero-day vulnerabilities and has been used to backdoor developers’ devices.
XCSSET can inject JavaScript backdoors into websites, read data from Safari browsers, take screenshots, encrypt files, as well as exfiltrate data to a system controlled by attackers. It can also steal credentials from various apps, including Telegram, Chrome, Skype, Evernote, Opera, WeChat, Notes, and Contacts.
Improvements to the XCSSET macOS malware
According to the Microsoft Threat Intelligence team, this new variant is the first known significant update to the XCSSET malware since 2022. These new features make it easier for threat actors to spread the macOS malware and hide malicious activities.
Better code obfuscation
Compared to the previous versions, both methods used for encoding payloads and the number of encoding iterations are significantly more randomized. This new XCSSET variant also uses Base64 to encode module names, which makes it harder to detect the malware’s modules.
New infection methods
This new XCSSET variant leverages two new mechanisms to maintain persistence on compromised devices. The first “zshrc” method involves creating a file named ~/.zshrc_aliases that contains the payload. The malware then appends a command to the ~/.zshrc file so that the payload is launched across every shell session.
In the dock method, the XCSSET malware creates a fake Launchpad app and then replaces the legitimate Launchpad’s path entry in the dock with this newly created malicious one. This malicious payload is started each time Launchpad is opened from the macOS dock.
Better code obfuscation
The latest variant of the macOS malware leverages new infection methods that determine where the payload is deployed in Xcode projects.
“The new XCSSET variant introduces new methods for where the payload is placed in a target Xcode project. The method is chosen from one of the following options: TARGET, RULE, or FORCED_STRATEGY. An additional method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a latter phase,” the Microsoft Threat Intelligence team explained.
Recommendations
Microsoft mentioned that its Defender for Endpoint solution can now help security teams detect the new XCSSET variant. However, the company has yet to provide any indicators of compromise or hashes.
Microsoft advises developers to carefully inspect all Xcode projects downloaded or cloned from repositories. Since code is often shared and reused, malware takes advantage of this trust. When an infected project is compiled, the malicious code executes, potentially compromising the developer’s system.