Microsoft Threat Intelligence has discovered a new variant of the XCSSET malware. This malware targets macOS users by infecting Xcode projects.
A new variant of the XCSSET malware for macOS is making the rounds. This was discovered by Microsoft security researchers. It is the first major update for the malware since 2022. Attackers do not deploy the tool on a large scale, but mainly target developers. The new variant uses advanced techniques for obfuscation, persistent presence and infection methods.
The recently discovered variant uses a more random approach to generate payloads in infected Xcode projects. Whereas previous variants used only xxd (hexdump) for encryption, the new version also uses Base64. In addition, module names within the code are encrypted, making analysis difficult.
Two methods
The malware has two methods of embedding itself in the system: the zshrc method and the dock method. The first method involves adding a payload to a hidden file (~/.zshrc_aliases) and a command is added to the ~/.zshrc-file, which executes the script with each new shell session.
In the dock method, the malware downloads a signed version of the dockutil utility from a command-and-control server. This creates a fake version of the macOS Launchpad application. The malware then modifies the dock shortcut so that when Launchpad is launched, both the real application and the malicious payload are executed.
The malware introduces new techniques to insert the payload into an Xcode project. It can use methods such as TARGET, RULE or FORCED_STRATEGY. Another method places the payload in the TARGET_DEVICE_FAMILY key under the build settings and executes it later.
Microsoft reports that the new XCSSET variant is currently only seen in limited attacks. Still, users and organizations are advised to take precautions to avoid infection. Microsoft subtly and not entirely coincidentally points out that Defender for Mac successfully detects the malware.