Enhanced XCSSET Malware Targets macOS Users with Advanced Obfuscation

Microsoft Threat Intelligence has recently uncovered a new variant of the XCSSET malware, a sophisticated modular macOS malware known for infecting Xcode projects.

This latest iteration features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies, making it more challenging to detect and remove.

The malware primarily targets software developers who share Xcode project files, leveraging the collaborative nature of development environments to spread.

Advanced Techniques and Infection Chain

The new XCSSET variant employs a four-stage infection chain, starting with an obfuscated shell payload that is triggered when an infected Xcode project is built.

This payload communicates with a command-and-control (C2) server to download additional payloads, which are executed using shell scripts.

The malware uses both hexdump and Base64 encoding to obfuscate its payloads, making static analysis difficult.

It also checks for the version of XProtect, macOS’s built-in antivirus, to evade detection.

The malware’s persistence techniques include modifying shell configuration files and creating fake Launchpad applications to ensure its payload launches at specific events, such as new shell sessions or when a user opens Launchpad.

The fourth stage of the infection involves an AppleScript payload that gathers system information, including macOS version, Safari version, and firewall status, which it sends to the C2 server.

This payload also overrides the default log function to send logs to the C2 server.

The malware includes sub-modules for stealing system information, listing browser extensions, downloading additional modules, and stealing digital wallet data from browsers.

One of the sub-modules, cozfi_xhh, steals notes from the Notes application using a JavaScript payload.

Impact

According to the Report, While the new XCSSET variant is currently observed in limited attacks, its advanced capabilities pose a significant threat to macOS users, particularly developers.

Microsoft has shared these findings with Apple, emphasizing the importance of collaboration in mitigating threats.

To protect against this malware, users should be cautious when opening or sharing Xcode projects, ensure their systems are updated with the latest security patches, and use robust antivirus software.

Additionally, developers should implement secure coding practices and regularly scan their projects for malware.

As the threat landscape evolves, staying informed about emerging threats like XCSSET is crucial for maintaining cybersecurity.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.