A new variant of the XCSSET malware has been identified by Microsoft Threat Intelligence, marking a significant evolution in its capabilities to infect macOS systems.
This sophisticated malware targets Xcode projects, which are commonly used by software developers, leveraging the collaborative nature of project sharing among developers.
The latest variant features enhanced obfuscation techniques, improved persistence mechanisms, and new infection strategies, making it more challenging to detect and remove.
Enhanced Capabilities and Obfuscation
The new XCSSET variant employs a modular approach with encoded payloads, utilizing scripting languages, UNIX commands, and legitimate binaries to maintain a low profile on affected devices.
%20function%20of%20the%20AppleScript%20payload.webp)
It often remains fileless, complicating detection efforts.
The malware obfuscates module names, making static analysis difficult, and uses a randomized approach for generating payloads.
Unlike previous variants that relied solely on xxd (hexdump) for encoding, this version also incorporates Base64 encoding, further complicating analysis.
The malware follows a four-stage infection chain.
The first stage involves an obfuscated shell payload launched when an infected Xcode project is built.
This payload communicates with a command-and-control (C2) server to download additional payloads.
Subsequent stages involve collecting device information, manipulating system files, and establishing persistence through methods like modifying shell configurations or creating fake applications.
The malware can steal system information, browser extensions, digital wallet data, and even notes from the Notes application.
Persistence and Data Exfiltration
According tot the Report,The malware ensures persistence through multiple methods, including modifying shell configuration files (zshrc) and creating fake applications that mimic legitimate ones like Launchpad.
These tactics ensure the malware launches whenever a new shell session is initiated or when a user interacts with the fake application.
The malware also exfiltrates sensitive data to its C2 server, which remains active and continues to download additional modules.
Microsoft has shared these findings with Apple to enhance security measures against this threat.
Despite being seen in limited attacks currently, the comprehensive analysis and recommendations provided aim to protect users and organizations from this evolving threat.
