XCSSET: macOS malware is active again
The Mac malware XCSSET has been quiet for some time. Now Microsoft has discovered new active variants that infect Xcode projects.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The malware has not been seen since 2022, but now Microsoft's Threat Intelligence team has discovered a new variant of the XCSSET malware in the wild. It is an advanced modular malware that runs on macOS and targets victims by infecting Xcode projects.
IT security researchers had previously only seen the new variant “in limited attacks”, they write on X. The XCSSET variant, which has been seen for the first time since 2022, relies on improved cloaking methods, updated entry mechanisms to achieve persistence and new infection strategies.
XCSSET: higher, faster, further
Both the encoding technology and the number of encoder iterations used to create the malware payload are random. The old variants would have only used xxd (a program that creates a hex dump of transferred data) for encoding; XCSSET now also knows Base64. The module names of the malware variant are now also encrypted, making it more difficult to recognize the intention of the module.
The new XCSSET version relies on two variants for infiltration. Firstly, it can create a file ~/.zshrc_aliases that contains the malware payload. By adding a command to ~/.zshrc, the malware starts every time a new shell is opened. Secondly, XCSSET can download a signed “dockutil” from the command and control server, which can be used to manage the dock entries. XCSSET creates a fake launchpad app and sets the regular launchpad path entry in the dock to this file. The malware is then launched from the dock every time Launchpad is started, while also launching the real Launchpad app to disguise itself.
XCSSET knows new methods for implanting the malware in Xcode projects. Microsoft lists TARGET, RULE or FORCED_STRATEGY for this purpose. The malicious payload can also be hidden in the TARGET_DEVICE_FAMILY key in the build settings and run in a later phase.
Developers should always check Xcode projects downloaded or cloned from repositories, Microsoft advises, as the malware spreads via infected projects. They should also only install programs from trustworthy sources, such as the official app store of the software platform. However, Microsoft does not provide more specific indicators of compromise (IOCs) that developers can use to check their system for possible infection. The only option is therefore to check the plausibility of the entries mentioned in the project and build settings.
XCSSET was first discovered and described in 2020. There, the malware spread via manipulated Xcode projects on GitHub, for example.
(dmk)