Microsoft Threat Intelligence has uncovered a new and more sophisticated variant of XCSSET, a modular macOS malware that has been targeting developers and users via infected Xcode projects. This variant has only been observed in limited attacks so far, Microsoft noted.
The XCSSET variant is the first update since 2022 and comes with several enhanced features that make it harder to detect and mitigate. The malware’s updated tactics include improved obfuscation methods, advanced persistence techniques, and new infection strategies that increase its ability to infiltrate macOS systems.
The latest XCSSET variant features much stronger obfuscation techniques, making it far more difficult to detect by traditional security tools. One key enhancement is its more randomized payload generation method for infecting Xcode projects. The variant not only randomizes the encoding technique but also increases the number of encoding iterations.
Additionally, while older XCSSET variants relied solely on the xxd tool for encoding, the new variant incorporates Base64 encoding as well. Furthermore, the module names in the malware’s code have been obfuscated, which adds another layer of difficulty for threat analysts trying to understand the malware's true intent.
The new XCSSET variant uses two methods to maintain its presence on an infected system: the zshrc method and the dock method.
The zshrc method involves creating a file named ~/.zshrc_aliases, which contains the malicious payload, while the second technique leverages a signed dockutil tool downloaded from a remote server. The tool manages the dock items on macOS, and the malware uses it to replace the legitimate Launchpad application with a fake version. By modifying the dock’s path entry for Launchpad, the malware ensures that every time the user tries to open Launchpad, both the legitimate and the malicious payload are executed.
XCSSET’s new variant introduces even more sophisticated infection techniques to target Xcode projects. The payload can now be injected into a project using one of three strategies: TARGET, RULE, or FORCED_STRATEGY. In addition, the malware can also insert the payload into the TARGET_DEVICE_FAMILY key under build settings and execute it in a later phase of the build process, further increasing the likelihood of successful infection.
