A new variant of the sophisticated XCSSET malware has been observed in recent, limited attacks against macOS users, Microsoft reports.
First seen in 2020, XCSSET spreads through Apple Xcode, the integrated development environment for macOS: threat actors inject malicious code into Xcode projects, and the victim’s system is infected when the project is executed.
The malware was designed to steal information associated with numerous chat applications, take screenshots, inject JavaScript code into websites, encrypt files and drop ransom notes, and upload files to the attackers’ server.
At the time of discovery, it was also exploiting two zero-day vulnerabilities to steal a Safari cookie file and to run the development version of the browser when the victim attempted to launch Safari.
An XCSSET variant observed in 2021 was specifically targeting devices powered by Apple’s M1 chip, which uses an arm64 CPU architecture.
Now, Microsoft has identified a new XCSSET variant that relies on new obfuscation methods, uses an updated persistence mechanism, and leverages new infection methods.
The malware now uses increased randomization when generating payloads to be injected into Xcode projects, drops the payload in a file that is executed when a new shell session is launched, and replaces the Launchpad’s dock path entry with a fake application to execute the payload, Microsoft explains.
“These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files,” Microsoft notes in a post on X (formerly Twitter).
Additionally, the tech giant observed the updated malware variant using new methods for where the malicious payload is placed in an Xcode project.
“The method is chosen from one of the following options: TARGET, RULE, or FORCED_STRATEGY. An additional method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a later phase,” Microsoft notes.
Related: Homebrew macOS Users Targeted With Information Stealer Malware
Related: 22 New Mac Malware Families Seen in 2024
