Discovered in 2020, the XCSSET malware gained notoriety for granting cybercriminals remote access to developers’ MacBooks. While this discovery led to improved macOS protection strategies, Microsoft Threat Intelligence has recently identified a new, more sophisticated XCSSET variant targeting macOS.
Malicious actors used the previously-known XCSSET varient to exploit macOS vulnerabilities targeting keychains, to steal crucial documents and sensitive information like usernames and passwords. It primarily spread through Xcode projects. In addition to its previously known abilities, the new variant adds functionality that makes it more difficult to detect and remove from macOS.
Beyond generating payloads with increased randomization, this new XCSSET variant employs a more complex method to hide the intended functionality of its code. This tricks unsuspecting developers into incorporating the infected code into their projects without realizing its malicious nature. The variant also uses both xxd and Base64 encoding, unlike the previous versions that used only xxd. Furthermore, its zshrc methods have sophisticated abilities that ensure its persistence across shell sessions.
Microsoft threat intelligence also observed that the new malware variant is more stealthy and can remain undetected in macOS. Its sophisticated infection techniques target Xcode projects, easily inserting payloads into the TARGET_DEVICE_FAMILY key. Furthermore, it has improved its abilities to target crypto wallets and steal system information, and it seamlessly steals data from the Notes app.
Microsoft has confirmed in a tweet that its Defender for Endpoint on Mac detects both the old and new variants of XCSSET malware. However, no security solution is perfect. So, if you’re a developer, you will benefit from extra caution. Only download plugins and Xcode projects from trusted sources, ensuring you use the latest versions. Carefully inspect Xcode projects before opening them, as infected projects can trigger payloads that will compromise your mac. While antivirus software can offer additional protection, avoid installing apps from third-party sources whenever possible as well.