A new variant of the XCSSET macOS modular malware has emerged in attacks that target users' sensitive information, including digital wallets and data from the legitimate Notes app. XCSSET then creates a malicious Launchpad application with the payload and changes the legitimate app's path to point to the fake one. As a result, when the Launchpad in the dock starts, both the genuine application and the malicious payload are executed. Microsoft's Threat Intelligence team identified the latest variant in limited attacks and says that compared to past XCSSET variants, the new one features enhanced code obfuscation, better persistence, and new infection strategies. Microsoft warns today of new attacks that use a variant of the XCSSET macOS malware with improvements across the board. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. In May 2021, Apple fixed a vulnerability that was actively exploited as a zero-day by XCSSET, an indication of the malware developer's capabilities. For the zshrc persistence method, the new XCSSET variant creates a file named ~/.zshrc_aliases that contains the payload and appends a command in the ~/.zshrc file. Microsoft recommends inspecting and verifying Xcode projects and codebases cloned from unofficial repositories, as those can hide obfuscated malware or backdoors. XCSSET has multiple modules to parse data on the system, collect sensitive information, and exfiltrate it. The type of data targeted includes logins, info from chat applications and browsers, Notes app, digital wallets, system information and files.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 17 Feb 2025 16:05:06 +0000