XCSSET

Microsoft Threat Intelligence has identified a new variant of the XCSSET malware targeting macOS, specifically aimed at software developers who share Xcode project files. This variant features enhanced obfuscation techniques, updated persistence mechanisms, and a four-stage infection chain that begins with an obfuscated shell payload activated during the building of an infected Xcode project. The malware communicates with a command-and-control (C2) server to download additional payloads and employs encoding methods to hinder detection. It checks the version of XProtect to evade detection and modifies shell configuration files for persistence. The final stage involves an AppleScript payload that collects system information and redirects logs to the C2 server. The malware includes sub-modules for various malicious activities, such as stealing system information and extracting digital wallet data. Although observed in a limited number of attacks, its advanced capabilities pose a significant threat to macOS users. Users are advised to exercise caution with Xcode projects, keep systems updated, and use robust antivirus software.