Photo credit: www.darkreading.com
Microsoft has issued a warning regarding a newly identified variant of XCSSET, a significant malware threat to macOS users. This updated version has already been linked to several attacks targeting Apple developers, suggesting a potential increase in its activity and reach in the weeks ahead.
XCSSET possesses a range of capabilities that allow it to compromise user security. It can read and extract data from Safari, inject malicious JavaScript into websites, and steal sensitive information from various applications, including Skype, Telegram, WeChat, and Notes. Additionally, it has the ability to take screenshots, encrypt files, and transfer data to servers managed by the attackers. The new variant introduces advanced obfuscation techniques, improved persistence methods, and novel infection strategies, marking its first update since 2022, as detailed by Microsoft Threat Intelligence in a recent post on X.
The enhancements in this malware variant expand upon existing functionalities, which have previously included targeting digital wallets and exfiltrating information from system files.
XCSSET was originally discovered by Trend Micro in 2020 while analyzing a security breach related to Xcode projects. Historically, it has targeted software developers by exploiting vulnerabilities in their code, enabling it to spread through infected projects. When a developer downloads an infected project, they unwittingly further propagate the malware, creating a worm-like potential for broader supply chain attacks.
Significant Enhancements to macOS Malware
The latest variant of XCSSET represents a substantial upgrade to the malware’s modular architecture, integrating numerous features that facilitate its spread and obscure the attackers’ activities.
Among the new capabilities introduced is a more sophisticated obfuscation strategy that utilizes a highly randomized process for generating payloads within Xcode projects. This includes alterations in encoding techniques, such as the incorporation of Base64 encoding alongside traditional methods, making it harder to decipher the malware’s intent.
The updated XCSSET also implements two new persistence techniques. The first, dubbed the “zshrc” method, involves creating a hidden file that initiates the malware each time a new shell session is opened. The second, referred to as the “dock” method, manipulates the macOS dock by replacing the path to the legitimate Launchpad application with a fraudulent version, ensuring that both the genuine and malicious applications are launched together.
Furthermore, the new variant adopts innovative infection routes to strategically position the payloads within Xcode projects. This includes methods like TARGET, RULE, or FORCED_STRATEGY, as well as utilizing the TARGET_DEVICE_FAMILY key for deployment at later stages.
Advice for macOS Cyber Defenders
Historically less susceptible to malware, the macOS environment has seen a rise in vulnerabilities and threats, primarily due to Apple’s expanding share in the overall computing market.
In order to mitigate the risk of downloading projects infected with XCSSET, Microsoft urges developers and users to rigorously inspect and verify any Xcode projects sourced from online repositories. Additionally, it is critical to install applications exclusively from trusted platforms, such as official app stores.
For those utilizing Microsoft Defender for Endpoint on Mac, the software offers built-in protection against XCSSET and its variants, as it is equipped to identify all known versions of the malware.
Source
www.darkreading.com