Microsoft has observed a previously dormant macOS malware that has become active once again in a new variant that is targeting Apple devices of all kinds.
New Version of XCSSET Emerges
Microsoft Threat Intelligence shared information about the malware in a post on X, indicating that it is a new version of XCSSET that originated in 2022. The security experts explained that the updated malware has “enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.”
What XCSSET Can Do: A Dangerous Infostealer
TechRadar noted that the XCSSET malware is essentially an infostealer, with the ability to attack digital wallets, gather data from the Apple Notes app, and collect system information and files.
How XCSSET Infiltrates Devices via Xcode
The malware is particularly dangerous because it uses infected projects in Apple’s Xcode platform to infiltrate devices. Xcode is the official integrated development environment (IDE) Apple provides for app creation for its various operating systems, including macOS, iOS, iPadOS, watchOS, and tvOS. The environment includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps, the publication added.
Obfuscation Techniques: “zshrc” and “dock”
As said, the updated XCSSET variant includes processes, allowing the malware to better obscure itself within Xcode. To do so, it uses two techniques, called “zshrc” and “dock”.
“zshrc” Technique: Persistent Malware Execution
The first attack allows the malware to create a file, ~/.zshrc_aliases, which holds the infected data. Then it adds a command in the ~/.zshrc file, which will prompt the infected file to launch every time a new shell session is initiated. This will ensure the malware will continue to spread with additional shell sessions.
“dock” Technique: Fake Launchpad App
With the second attack, the malware downloads “a signed dockutil tool from a command-and-control server to manage the dock items,” Microsoft explained. After this, it creates a fake Launchpad app to replace the path entry for the actual Launchpad app on the device dock. When a user runs Launchpad on an infected device, the actual Launchpad app and the malware version will both execute, effectively spreading XCSSET.
Limited Attacks, But Stay Cautious
Microsoft Threat Intelligence explained it has only seen the new malware variant “in limited attacks,” it is sharing information about the threat so users and organizations can take precautionary measures.
