Friday, April 25, 2025
HomemacOSMac Malware That Spreads via Xcode Projects Adapts to macOS 11 &...

Mac Malware That Spreads via Xcode Projects Adapts to macOS 11 & M1-based Macs

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers have recently detected a malware campaign, and as per the experts, the campaign is using the Xcode development environment.

The campaign is now continuously targeting the new Apple M1 chips and enables data to be stolen from cryptocurrency wallet applications.

After a proper investigation, the analysts came to know that XCSSET malware is behind the campaign, furthermore, this is not the first time when experts detect such malware.

- Advertisement - Google News

XCSSET malware was initially detected in August 2020, and from then it is continuously targetting software developers, for data stealing.

XCSSET generally repackaged all the payload modules that are presented as legitimate Mac apps, which would later end up affecting the local Xcode projects.

However, it mainly injects the primary payload so that it can easily execute while building a negotiated project.

C&C domains

  • Titian[.]com
  • Findmymacs[.]com
  • Statsmag[.]com
  • Statsmag[.]xyz
  • Adoberelations[.]com
  • Trendmicronano[.]com

Payloads of XCSSET

bootstrap.applescript: This payload is also known as binary Pods, the security researchers affirmed that this payload contains the logic to call other malicious AppleScript modules.

replicator.applescript: The experts have studied this payload and declared that it is responsible for injecting all the local Xcode projects along with malicious code.

agent.php: This payload, has been hosting many of the codes that are used in handling requests to manage browsers, and it has been confirmed in an analysis that has been done by the experts.

Prominent changes for macOS 11 Big Sur

Apple has been doing prominent changes to keep updating its device, that’s why it has released its operating system, Big Sur, and along with that a new Mac product that has equipped with ARM-based M1 processors. 

However, rather than appending support for the M1 chip, the XCSSET malware has currently taken some other actions to implement macOS 11 Big Sur.

According to the Trend Micro report, the software with x86_64 architecture can still work on macOS 11, and along with the help of Rosetta 2, there has been an emulator which was built into Big Sur.

Browsers used to carry out UXSS attacks

The browser used by the threat actors to carry out UXSS attacks are, mentioned below:-

  • Microsoft Edge
  • Google Chrome
  • Brave
  • Opera
  • Mozilla Firefox
  • Yandex Browser
  • Qihoo 360 Browser

New Findings on the Landing Mach-O File

After investigating the whole campaign the analysts have detected that all the binary files that were downloaded straight from the C&C server have already changed from Mach-O files.

The experts have pronounced that the C&C servers along with an x86_64 architecture to universal binary files including both x86_64 and ARM64 architectures contain three notable exceptions: “cat” and “Pods” are landing Mach-O binary files.

After a proper analysis, the researchers came to know that the Mach-O binary files were triggered by infected Xcode projects.

According to the distribution of XCSSET through a negotiated Xcode projects is a very big threat to the developers. Moreover, the developers who got affected have posted all their works on GitHub.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

“Power Parasites” Phishing Campaign Targets Energy Firms and Major Brands

Silent Push Threat Analysts have uncovered a widespread phishing and scam operation dubbed "Power...

Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or "smishing,"...

Russian Hackers Attempt to Sabotage Digital Control Systems of Dutch Public Service

The Dutch Defense Ministry has revealed that critical infrastructure, democratic processes, and North Sea...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

PasivRobber Malware Emerges, Targeting macOS to Steal Data From Systems and Apps

A sophisticated new malware suite targeting macOS, dubbed "PasivRobber," has been discovered by security...

New “ReaderUpdate” macOS Malware Evolves with Nim and Rust Variants

Security researchers at SentinelOne have discovered that ReaderUpdate, a macOS malware loader platform that...

New Phishing Campaign Targets Mac Users to Steal Login Credentials

A sophisticated phishing campaign, recently identified by LayerX Labs, has shifted its focus from...