A new variant of the sophisticated XCSSET malware has been detected in recent attacks targeting macOS users. Microsoft reports that this variant uses updated obfuscation methods, an improved persistence mechanism, and new infection techniques to evade detection.
First seen in 2020, XCSSET spreads through Apple’s Xcode development environment. The malware injects malicious code into Xcode projects, infecting the victim’s system when the project is executed. The previous variant was specifically targeting devices powered by Apple’s M1 chip.
The new XCSSET variant relies on increased randomization to generate payloads and drops them in a file that is executed during a new shell session launch. It also replaces the Launchpad’s dock path entry with a fake application to execute the payload.
Microsoft notes that these enhanced features add to the malware family’s previously known capabilities, including targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files.
The tech giant observed the updated malware variant using new methods for placing the malicious payload in an Xcode project. These methods include TARGET, RULE, or FORCED_STRATEGY, as well as placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a later phase.
This evolution of XCSSET highlights the ongoing threat of malware targeting macOS users.
Source: https://www.securityweek.com/microsoft-warns-of-improvements-to-xcsset-macos-malware