New XCSSET Malware Targets macOS Users Through Infected Xcode Projects

Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS malware, marking its first update since 2022.

This sophisticated malware continues to target macOS users by infecting Xcode projects, a critical tool for Apple developers.

The latest variant introduces advanced obfuscation techniques, updated persistence mechanisms, and novel infection strategies, making it more challenging to detect and mitigate.

The malware now employs significantly randomized encoding methods for generating payloads.

Unlike earlier versions that relied solely on the xxd (hexdump) tool, the new variant incorporates Base64 encoding with randomized iterations.

Additionally, the module names within its code are obfuscated, further complicating analysis and detection efforts.

To ensure persistence, the malware uses two distinct methods: the “zshrc” method and the “dock” method.

The “zshrc” method involves creating a file named ~/.zshrc_aliases containing the malicious payload and appending a command to the ~/.zshrc file to execute it during every new shell session.

The “dock” method is more intricate, involving the download of a signed dockutil tool from a command-and-control (C2) server.

This tool is used to replace the legitimate Launchpad application in the dock with a fake one that runs both the legitimate app and the malicious payload simultaneously.

New Infection Strategies

The updated XCSSET variant also introduces innovative methods for embedding its payload into Xcode projects.

It selects from multiple techniques—TARGET, RULE, or FORCED_STRATEGY—or places its payload in the TARGET_DEVICE_FAMILY key under build settings.

According to Microsoft, these approaches allow the malware to execute during later phases of project compilation, increasing its chances of infecting unsuspecting users.

This new variant builds on XCSSET’s previously known capabilities, which include stealing data from applications like notes, targeting digital wallets, exfiltrating system files, and even launching ransomware attacks.

Earlier versions exploited vulnerabilities in Safari and other browsers to steal cookies and inject malicious JavaScript into websites via universal cross-site scripting (UXSS) attacks.

These attacks allowed for credential theft, cryptocurrency address replacement, and unauthorized access to sensitive data.

To protect against this threat, users are advised to:

• Inspect and verify any Xcode projects downloaded or cloned from repositories.
• Only install applications from trusted sources like official app stores.
• Use robust endpoint security solutions such as Microsoft Defender for Endpoint on Mac, which can detect this variant.

By adopting these precautions, developers and organizations can minimize their exposure to this evolving malware threat.

PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar