Microsoft spies a new and worrying macOS malware strain

News
By published

XCSSET infostealer was updated after more than two years

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)
  • Microsoft warns of new version of the XCSSET infostealer
  • It comes with new obfuscation, infection, and persistence techniques
  • Experts warn all users to be careful

Microsoft says it has spotted a new strain of an old macOS malware variant, one which comes with better obfuscation techniques, more persistence, and new infection mechanisms.

In a short X post, Microsoft detailed discovering a new version of XCSSET, which it describes as a “sophisticated modular macOS malware” that targets users through infected Xcode projects.

Xcode is Apple's official integrated development environment (IDE) for creating apps on macOS, iOS, iPadOS, watchOS, and tvOS. It includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps.

Limited attacks

In essence, XCSSET is an infostealer. It is capable of pulling system information and files, stealing digital wallet data, and grabbing information from the official Notes app. Its latest iteration comes after more than two years of being dormant, and appears to come with significant improvements.

To better hide itself, XCSSET now uses a “significantly more randomized” approach for generating payloads to infect Xcode projects, Microsoft explained. For persistence, XCSSET now uses two techniques, called “zshrc” and “dock”. In the first one, the malware creates a file named ~/.zshrc_aliases, which contains the payload. It then appends a command in the ~/.zshrc file to make sure the created file is launched every time a new shell session is initiated.

In the second one, the malware downloads a signed dockutil tool from a command-and-control server to manage the dock items. It then creates a fake Launchpad app and replaces the legitimate one’s entry in the doc. That way, when the victim runs the Launchpad from the dock, both the legitimate app and the malware are executed.

As for infection, XCSSET now comes with new methods for where the payload is placed in the Xcode project.

Microsoft said that at this time, it is only seeing the new variant in “limited attacks”, but wanted to sound the alarm on time, so that users and organizations can protect themselves.

“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects,” the company concluded. “They should also only install apps from trusted sources, such as a software platform’s official app store.”

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.