To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware. Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week. "These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post. Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. "This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft. Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post. The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities. In the former method, the malware creates a file named ~/.zshrc_aliases that contains the payload, according to Microsoft. XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. "They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft. Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 18 Feb 2025 19:10:06 +0000