Microsoft uncovers sleuthy new XCSSET MacOS malware campaign

News
By published

XCSSET is back with better obfuscation, better persistence, and better infection techniques.

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)
  • Microsoft warns of new version of the XCSSET infostealer
  • It comes with new obfuscation, infection, and persistence techniques
  • It was seen in "limited" attacks in the wild

A new variant of a known macOS malware is making rounds on the internet, targeting users through infected Xcode projects.

Researchers from the Microsoft Threat Intelligence team said that the modular malware is seen in “limited attacks” at this time, but suggested that people should still keep their guard up.

According to the researchers, this is the first upgrade to XCSSET in three years. It now has enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.

Scrutinize Xcode projects

“These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files,” Microsoft said.

Microsoft first reported of this new XCSSET strain in mid-February this year, and has now come forward with an in-depth analysis.

Xcode is Apple's official integrated development environment (IDE) for creating apps on macOS, iOS, iPadOS, watchOS, and tvOS. It includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps.

In essence, XCSSET is an infostealer. It is capable of pulling system information and files, stealing digital wallet data, and grabbing information from the official Notes app.

For obfuscation, XCSSET now uses a “significantly more randomized approach” for generating payloads to infect Xcode projects. When it comes to updated persistence mechanisms, the new variant uses two techniques: “zshrc”, and “dock”. Finally, for infection, there are now new methods for where the payload is placed in a target Xcode project.

“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects,” the company concluded. “They should also only install apps from trusted sources, such as a software platform’s official app store.”

The in-depth analysis of the malware and its modus operandi can be found on here.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Ransomware
Microsoft spies a new and worrying macOS malware strain
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Image of laptop infected with malware threat
This devious new macOS malware disguises itself as Chrome, Zoom installers
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
ChatGPT search extension in Chrome.

What is Rawbot? Everything we know about the AI comparison tool

See more latest
Most Popular
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Gemma staring at something off-camera in Severance season 2 episode 10
'Everyone is going to be so torn': Severance star Dichen Lachman reacts to the popular Apple TV+ show's most 'intense' season 2 finale event
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 22 (game #384)