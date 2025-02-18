Microsoft: New Variant of macOS Threat XCSSET Spotted in the WildMicrosoft: New Variant of macOS Threat XCSSET Spotted in the Wild

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Elizabeth Montalbano, Contributing Writer

February 18, 2025

3 Min Read
An Apple macOS laptop open on a desk
Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

Significant Enhancements to macOS Malware

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED_STRATEGY, while an additional method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a later phase.

Advice for macOS Cyber Defenders

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

See more from Elizabeth Montalbano, Contributing Writer
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Windows update screen on a laptop computer
Application Security
Microsoft's February Patch a Lighter Lift Than January'sMicrosoft's February Patch a Lighter Lift Than January's
byJai Vijayan, Contributing Writer
Feb 11, 2025
4 Min Read
Human finger pointing to the word "deepseek" in blue on a computer screen with the words "into the unknown" under it
Cyber Risk
DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for BusinessesBiz Beware: DeepSeek AI Fails Multiple Security Tests
byElizabeth Montalbano, Contributing Writer
Feb 11, 2025
4 Min Read
Binary code floating trough space on an angle
Cyberattacks & Data Breaches
Salt Typhoon's Impact on the US & BeyondSalt Typhoon's Impact on the US & Beyond
byMichael McLaughlin, Jillian Cashand 1 more
Feb 11, 2025
4 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events