Ethical Hacking News
Microsoft has detected a new variant of the XCSSET macOS malware family with enhanced features, including improved infection methods, obfuscation techniques, and enhanced payloads. The latest threat marks the first publicly known update since 2022 and raises concerns among developers and users.
The XCSSET malware family has emerged with new features, marking the first publicly known update since 2022. The malware targets app developers and spreads through publicly available project files. New variants of XCSSET have introduced enhancements to its capabilities, including creating a fake Launchpad app. Microsoft has detected enhanced infection methods, such as choosing payload trigger options and obfuscating payloads with Base64-encoding. XCSSET contains multiple modules for collecting and exfiltrating sensitive data from infected devices. Microsoft recommends that developers inspect all Xcode projects downloaded or cloned from repositories to prevent exploitation.
The XCSSET macOS malware family, which has been a threat to Mac users since at least 2020, has recently emerged with new and enhanced features. According to Microsoft, the company's security team has detected a new variant of this powerful malware, which marks the first publicly known update since 2022.
The XCSSET malware was first discovered in 2020 by security firm Trend Micro, who reported that it had targeted app developers after spreading through a publicly available project written for Xcode, a developer tool made freely available by Apple. The malware gained immediate attention due to its exploitation of two zero-day vulnerabilities at the time.
In subsequent years, XCSSET has continued to evolve and adapt, with new variants emerging. In 2021, it was used to backdoor developers' devices, and later that year, researchers discovered a new zero-day exploit. The malware's ability to target app developers and spread through publicly available projects made it particularly concerning.
The latest variant of XCSSET has introduced several enhancements to its capabilities. Microsoft reported that this new variant creates a file named ~/.zshrc_aliases containing the malicious payload. Furthermore, the malware appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated. Additionally, a fake Launchpad app has been created and the legitimate Launchpad path entry has been replaced with the path for this new app.
This allows the malicious payload to be started each time Launchpad is opened from the macOS dock. Furthermore, Microsoft announced that it has detected enhanced infection methods, including allowing the attacker to choose options such as TARGET, RULE, or FORCED_STRATEGY when XCSSET will trigger its payload. Another enhancement includes placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a later phase.
Microsoft also noted that there are enhanced obfuscation methods, mainly in the form of a significantly more randomized approach for generating payloads to infect Xcode projects. The increased randomization makes spotting the malicious code much harder due to its Base64-encoding of the module names it creates.
XCSSET contains multiple modules for collecting and exfiltrating sensitive data from infected devices. Microsoft Defender for Endpoint on Mac now detects the new XCSSET variant, but other malware detection engines may take time to follow suit. Unfortunately, Microsoft did not release file hashes or other indicators of compromise that people can use to determine if they have been targeted.
In response to this latest threat, Microsoft recommends that developers inspect all Xcode projects downloaded or cloned from repositories. The sharing of these projects is routine among developers and exploits their trust by spreading through malicious projects created by attackers.
Related Information:
https://arstechnica.com/security/2025/02/microsoft-warns-that-the-powerful-xcsset-macos-malware-is-back-with-new-tricks/
https://www.securityweek.com/microsoft-warns-of-improvements-to-xcsset-macos-malware/
Published: Tue Feb 18 17:47:33 2025 by llama3.2 3B Q4_K_M
