A publicity shot published by the BBC for Lucy Williamson's report inside Al-Shifa Hospital in November 2023. (Photo: BBC)
A publicity shot published by the BBC for Lucy Williamson’s report inside Al-Shifa Hospital in November 2023. (Photo: BBC)
Microsoft said it has detected a new variant of XCSSET, a powerful macOS malware family that has targeted developers and users since at least 2020. The variant, which Microsoft reported Monday, marked the first publicly known update to the malware since 2022. The malware first came to light in 2020, when security firm Trend Micro said it had targeted app developers after spreading through a publicly available project the attacker wrote for Xcode, a developer tool Apple makes freely available. The malware gained immediate attention because it exploited what, at the time, were two zero-day vulnerabilities, a testament to the resourcefulness of the entity behind the attacks. In 2021, XCSSET surfaced again, first when it was used to backdoor developers’ devices and a few months later when researchers found it exploiting what at the time was a new zero-day.

New enhanced features

Microsoft said it has detected the new variant in limited attacks so far. Improvements in it include:
  • Two previously unseen persistence methods for ensuring compromised devices remain permanently infected. One new method creates a file named ~/.zshrc_aliases that contains the malicious payload. The new variant then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated. The other new method creates a fake Launchpad app and replaces the legitimate Launchpad path entry with the path for the new one. From then on, the malicious payload is started each time Launchpad is started from the macOS dock.
  • Enhanced infection methods. One method allows the attacker to choose options, including TARGET, RULE, or FORCED_STRATEGY, for when the XCSSET will trigger its payload. The other method “involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a latter phase,” Microsoft said.
  • Enhanced obfuscation methods, mainly in the form of “a significantly more randomized approach for generating payloads to infect Xcode projects.” The increased randomization makes spotting the malicious code much harder. The new XCSSET variant also Base64-encodes the module names it creates, again making detection of them more difficult.
“These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files,” Microsoft wrote. XCSSET contains multiple modules for collecting and exfiltrating sensitive data from infected devices. Microsoft Defender for Endpoint on Mac now detects the new XCSSET variant, and it’s likely other malware detection engines will soon, if not already. Unfortunately, Microsoft didn’t release file hashes or other indicators of compromise that people can use to determine if they have been targeted. A Microsoft spokesperson said these indicators will be released in a future blog post. To avoid falling prey to new variants, Microsoft said developers should inspect all Xcode projects downloaded or cloned from repositories. The sharing of these projects is routine among developers. XCSSET exploits the trust developers have by spreading through malicious projects created by the attackers.