Microsoft has issued a warning regarding a new variant of the XCSSET malware, which specifically targets developers using Apple’s Xcode. The tech giant’s Threat Intelligence team revealed on Monday, February 17, that this macOS malware variant infiltrates Xcode projects to compromise users’ devices.
“While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information so users and organizations can protect themselves against this threat,” Microsoft’s security research team stated in a post on X.
First identified in 2022, XCSSET malware is known for its ability to steal data from digital wallets, extract information from the Notes app, and exfiltrate system files from infected devices. The latest version exploits zero-day vulnerabilities and employs two new techniques to infect macOS systems.
One of these methods, called the “zshrc” technique, involves creating a file named ~/.zshrc_aliases that contains the malware payload. “It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware’s persistence across shell sessions,” Microsoft explained. If a shell session is not securely configured, attackers may gain unauthorized access and execute remote commands.
Another method, referred to as the “dock” technique, involves manipulating macOS’s dock, the toolbar at the bottom of the screen. The malware downloads a tool to manage applications on the dock and replaces the legitimate Launchpad’s path entry with a fake version. “This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed,” Microsoft stated.
The new XCSSET variant is particularly challenging to detect due to its randomized approach to generating payloads in infected Xcode projects. “Both its encoding technique and number of encoding iterations are randomized. […] At its code level, the variant’s module names are also obfuscated, making it more challenging to determine the modules’ intent,” Microsoft’s cybersecurity researchers noted.
To protect against this threat, Microsoft advises Mac users to utilize its Defender tool for Endpoint to scan for infections. Additionally, developers should thoroughly inspect any Xcode projects downloaded or cloned from repositories, as the malware spreads through compromised projects. Installing applications exclusively from trusted sources, such as official app stores, is also recommended to reduce the risk of infection.
