Microsoft spots XCSSET macOS malware variant used for crypto theft
3 mins read

Microsoft spots XCSSET macOS malware variant used for crypto theft

geekfeed0Tagged , , , , ,

A new variant of the XCSSET macOS modular malware has emerged in attacks that target users’ sensitive information, including digital wallets and data from the legitimate Notes app.

The malware is typically distributed through infected Xcode projects. It has been around for at least five years and each update represents a milestone in XCSSET’s development. The current improvements are the first ones observed since 2022.

Microsoft’s Threat Intelligence team identified the latest variant in limited attacks and says that compared to past XCSSET variants, the new one features enhanced code obfuscation, better persistence, and new infection strategies.

In May 2021, Apple fixed a vulnerability that was actively exploited as a zero-day by XCSSET, an indication of the malware developer’s capabilities.

New XCSSET variant in the wild

Microsoft warns today of new attacks that use a variant of the XCSSET macOS malware with improvements across the board. Some of the key modifications the researchers spotted include:

  • New obfuscation through encoding techniques that rely on both Base64 and xxd (hexdump) methods that vary in the number of iterations. Module names in the code are also obfuscated, which makes more difficult analyzing their intent
  • Two persistence techniques (zshrc and dock)
  • New Xcode infection methods: the malware uses the TARGET, RULE, or FORCED_STRATEGY options to place the payload in the Xcode project. It may also insert the payload into the TARGET_DEVICE_FAMILY key within build settings, and runs it at a later stage

For the zshrc persistence method, the new XCSSET variant creates a file named ~/.zshrc_aliases that contains the payload and appends a command in the ~/.zshrc file. This way, the created file launches whenever a new shell session starts.

For the dock method, a signed dockutil tool is downloaded from the attacker’s command-and-control (C2) server to manage dock items.

XCSSET then creates a malicious Launchpad application with the payload and changes the legitimate app’s path to point to the fake one. As a result, when the Launchpad in the dock starts, both the genuine application and the malicious payload are executed.

Xcode is Apple’s developer toolset that comes with an Integrated Development Environment (IDE) and allows creating, testing, and distributing apps for all Apple platforms.

An Xcode project can be created from scratch or built based on resources downloaded/cloned from various repositories. By targeting them, XCSSET’s operator can reach a larger pool of victims.

XCSSET has multiple modules to parse data on the system, collect sensitive information, and exfiltrate it. The type of data targeted includes logins, info from chat applications and browsers, Notes app, digital wallets, system information and files.

Microsoft recommends inspecting and verifying Xcode projects and codebases cloned from unofficial repositories, as those can hide obfuscated malware or backdoors.

Leave a Reply

Your email address will not be published. Required fields are marked *

Website https://geekfeed.net

Related Posts