XCSSET macOS malware returns with first new version since 2022

Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.

XCSSET has been seen in limited attacks thus far, but Apple devs should be especially vigilant since the main infection vector is via Xcode projects.

The malware's main capabilities from 2022 remain. It still chases after digital wallet contents and gathers data from Notes and other system files as well. The main updates come in the form of better code obfuscation, updated persistence mechanisms, and new infection methods, Microsoft said in a Monday alert.

The key to its new obfuscation techniques is randomization, Microsoft added. Both the methods used for encoding payloads and the number of encoding iterations are "significantly more randomized" compared to previous versions.

SentinelOne investigated XCSSET in 2022 and found evidence of randomization, particularly in curl's --max-time value and the script's phaseName variable within the AppleScript payload file. It said at the time these techniques were likely deployed to evade static analysis and threat-hunting rules.

Microsoft said that in addition to using xxd for encoding in previous versions, XCSSET also now uses Base64, and module names are obfuscated, too, increasing the difficulty involved in determining the functionality of each.

Microsoft detailed two methods used to establish persistence. The first is the zshrc method, which ensures the malware persists across shell sessions. The payload is dropped inside a file named ~/.zshrc_aliases and a command is then appended to the ~/.zshrc file so that the payload is launched across every shell session.

The dock method launches the malicious payload whenever Launchpad is executed via the macOS dock. A signed dockutil tool is downloaded via the attacker's C2 and the malware then generates a fake Launchpad app, replacing the legitimate path entry on the dock with the newly created malicious one.

XCSSET has targeted Xcode devs since the first version researchers spotted in 2020. Infected Xcode projects were loaded by Apple devs and later uploaded to GitHub to spread to other unwitting programmers.

Trend Micro looked under the hood of XCSSET back then, saying its distribution model "can only be described as clever."

It added: "Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files."

Microsoft said today the malware has new infection methods, but they're all still underpinned by infected coding projects. 

"The new XCSSET variant introduces new methods for where the payload is placed in a target Xcode project. The method is chosen from one of the following options: TARGET, RULE, or FORCED_STRATEGY. An additional method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a latter phase."

• Twin Google flaws allowed researcher to get from YouTube ID to Gmail address in a few easy steps
• If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish
• SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN
• Critical PostgreSQL bug tied to zero-day attack on US Treasury

The last time XCSSET featured on The Reg was in 2021 after Jamf found that the malware was exploiting zero-day vulnerabilities in macOS to bypass its privilege-control framework, Transparency Consent and Control (TCC).

After Trend published its first and follow-up reports on XCSSET, Jamf found a "significant uptick" in detected variants and these were primarily being used to take screenshots of victims' desktops or record their screens without notifying them.

"During Jamf's testing, it was determined that this vulnerability is not limited to screen recording permissions either," the MDM company blogged. "Multiple different permissions that have already been provided to the donor application can be transferred to the maliciously created app."

Other functionality demonstrated by the malware at the time included data or password theft from various apps including Telegram, Chrome, Evernote, Opera, WeChat, Skype, Notes, and Contacts.

Offering a final word of warning, Microsoft said: "Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects. They should also only install apps from trusted sources, such as a software platform's official app store."

Somewhat unhelpfully, however, Microsoft didn't provide any indicators of compromise or hashes. We'll update the story if it decides to confirm these. ®