Microsoft Threat Intelligence has recently identified a new variant of the XCSSET malware, a sophisticated and modular malware specifically designed for macOS. This malware is notorious for its ability to infiltrate Xcode projects, and the latest iteration showcases enhanced obfuscation techniques, updated persistence mechanisms, and innovative infection strategies that complicate detection and removal efforts.
The primary targets of this malware are software developers who frequently share Xcode project files, exploiting the collaborative nature of development environments to facilitate its spread.
Advanced Techniques and Infection Chain
This new variant of XCSSET operates through a four-stage infection chain. It begins with an obfuscated shell payload that activates when an infected Xcode project is built. This initial payload establishes communication with a command-and-control (C2) server to download additional payloads, which are executed via shell scripts. The malware employs both hexdump and Base64 encoding to obscure its payloads, significantly hindering static analysis efforts.
To evade detection, the malware checks the version of XProtect, macOS’s built-in antivirus. Its persistence techniques are notably sophisticated, involving modifications to shell configuration files and the creation of deceptive Launchpad applications. These tactics ensure that the malware’s payload is executed during specific events, such as the initiation of new shell sessions or when a user accesses Launchpad.
The final stage of the infection involves an AppleScript payload that collects vital system information, including the macOS version, Safari version, and firewall status, subsequently transmitting this data back to the C2 server. This payload also overrides the default logging function to redirect logs to the C2 server. The malware is equipped with sub-modules designed for various malicious activities, including stealing system information, listing browser extensions, downloading additional modules, and extracting digital wallet data from browsers.
One particularly concerning sub-module, known as cozfi_xhh, employs a JavaScript payload to pilfer notes from the Notes application.
Impact
While the new XCSSET variant has been observed in a limited number of attacks, its advanced capabilities present a considerable threat to macOS users, especially developers. Microsoft has communicated these findings to Apple, highlighting the necessity of collaboration in addressing such threats.
To safeguard against this malware, users are advised to exercise caution when opening or sharing Xcode projects, ensure their systems are updated with the latest security patches, and utilize robust antivirus software. Furthermore, developers should adopt secure coding practices and routinely scan their projects for malware. As the threat landscape continues to evolve, remaining informed about emerging threats like XCSSET is essential for maintaining effective cybersecurity.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
