Microsoft discovers new XCSSET macOS malware variant with enhanced obfuscation and persistence mechanisms

Microsoft Threat Intelligence has identified a new variant of XCSSET, a sophisticated macOS malware, marking its first known variant since 2022. The malware, which specifically targets users through infected Xcode projects, has been observed in limited attacks but presents significant security concerns.

This latest iteration of XCSSET comes with substantial improvements to its malicious capabilities, building upon its existing functions of targeting digital wallets, collecting Notes app data, and exfiltrating system information and files.

The new variant introduces several sophisticated features. Its enhanced obfuscation methods now employ a more randomized approach to payload generation, utilizing both xxd (hexdump) and Base64 encoding techniques. The variant also obfuscates module names at the code level, making it more difficult to analyze its intended functions.

For persistence, the malware implements two distinct techniques. The “zshrc” method creates and manipulates shell session files to ensure the malware launches with each new session. The “dock” method is more intricate, involving a signed dockutil tool that creates a fake Launchpad application, effectively executing both the legitimate Launchpad and malicious payload when launched.

The infection strategy has also evolved, with the malware now offering multiple options for payload placement in Xcode projects, including TARGET, RULE, and FORCED_STRATEGY methods. An additional technique involves placing the payload within the TARGET_DEVICE_FAMILY key under build settings.

While Microsoft Defender for Endpoint on Mac can detect this new XCSSET variant, users are advised to exercise caution when working with Xcode projects from external sources. It is always recommended to install applications only from trusted sources, particularly official app stores.