The XCSSET macOS malware, previously dormant, has resurfaced in a new variant posing a threat to Apple devices across the ecosystem. Microsoft Threat Intelligence recently brought this to light, highlighting the malware’s enhanced capabilities.
This new iteration of XCSSET, originally identified in 2022, exhibits more sophisticated obfuscation techniques, updated persistence mechanisms, and novel infection strategies, according to Microsoft security experts. The malware primarily functions as an infostealer, capable of compromising digital wallets, extracting data from the Apple Notes app, and collecting system information and files.
XCSSET’s potency lies in its method of infection: it infiltrates devices by targeting projects within Apple’s Xcode platform, the official integrated development environment (IDE) used for app development across macOS, iOS, iPadOS, watchOS, and tvOS. Xcode encompasses essential tools like a code editor, debugger, Interface Builder, and resources for testing and deploying applications, making it a critical target.
This latest variant employs advanced obfuscation tactics within Xcode using two primary methods: “zshrc” and “dock.” The “zshrc” technique creates an infected file, ~/.zshrc_aliases, and inserts a command within the ~/.zshrc file. This command triggers the infected file to launch with every new shell session, ensuring the malware’s propagation.
The “dock” attack involves downloading a signed dockutil tool from a command-and-control server to manipulate dock items. A deceptive Launchpad app is created, replacing the legitimate Launchpad app’s path entry on the device dock. Consequently, launching Launchpad executes both the genuine app and the malicious version, effectively spreading XCSSET.
While Microsoft Threat Intelligence has observed this new XCSSET variant in limited attacks so far, its disclosure aims to empower users and organizations with crucial information for implementing preventative measures. The potential widespread impact warrants proactive security awareness and action.
The resurgence of XCSSET underscores the persistent threat landscape facing Apple users. Staying informed about emerging threats and implementing robust security practices are crucial for safeguarding devices and data.