Cyber Security News

Enhanced XCSSET Malware Targets macOS Users with Advanced Obfuscation

Microsoft Threat Intelligence has recently uncovered a new variant of the XCSSET malware, a sophisticated modular macOS malware known for infecting Xcode projects.

This latest iteration features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies, making it more challenging to detect and remove.

The malware primarily targets software developers who share Xcode project files, leveraging the collaborative nature of development environments to spread.

Advanced Techniques and Infection Chain

The new XCSSET variant employs a four-stage infection chain, starting with an obfuscated shell payload that is triggered when an infected Xcode project is built.

XCSSET MalwareXCSSET Malware
Obfuscated first-stage shell payload

This payload communicates with a command-and-control (C2) server to download additional payloads, which are executed using shell scripts.

The malware uses both hexdump and Base64 encoding to obfuscate its payloads, making static analysis difficult.

It also checks for the version of XProtect, macOS’s built-in antivirus, to evade detection.

The malware’s persistence techniques include modifying shell configuration files and creating fake Launchpad applications to ensure its payload launches at specific events, such as new shell sessions or when a user opens Launchpad.

The fourth stage of the infection involves an AppleScript payload that gathers system information, including macOS version, Safari version, and firewall status, which it sends to the C2 server.

This payload also overrides the default log function to send logs to the C2 server.

The malware includes sub-modules for stealing system information, listing browser extensions, downloading additional modules, and stealing digital wallet data from browsers.

Browser’s path list

One of the sub-modules, cozfi_xhh, steals notes from the Notes application using a JavaScript payload.

Impact

According to the Report, While the new XCSSET variant is currently observed in limited attacks, its advanced capabilities pose a significant threat to macOS users, particularly developers.

Microsoft has shared these findings with Apple, emphasizing the importance of collaboration in mitigating threats.

To protect against this malware, users should be cautious when opening or sharing Xcode projects, ensure their systems are updated with the latest security patches, and use robust antivirus software.

Additionally, developers should implement secure coding practices and regularly scan their projects for malware.

As the threat landscape evolves, staying informed about emerging threats like XCSSET is crucial for maintaining cybersecurity.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score of…

41 minutes ago

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux, and…

47 minutes ago

Cisco IOS Software SISF Vulnerability Could Enable Attackers to Launch DoS Attacks

Cisco has released security updates addressing a critical vulnerability in the Switch Integrated Security Features…

48 minutes ago

Seamless AI Communication: Microsoft Azure Adopts Google’s A2A Protocol

Microsoft has announced its support for the Agent2Agent (A2A) protocol, an open standard developed in…

53 minutes ago

Radware Cloud Web App Firewall Flaw Allows Attackers to Bypass Security Filters

Security researchers have uncovered two critical vulnerabilities in Radware’s Cloud Web Application Firewall (WAF) that…

1 hour ago

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake calls…

1 hour ago