Microsoft has unveiled a new variant of the notorious XCSSET macOS malware, marking its first major update since 2022. This latest iteration showcases advanced obfuscation tactics, enhanced persistence mechanisms, and innovative infection strategies, posing a heightened threat to macOS users.
What is XCSSET?
XCSSET is a sophisticated modular malware specifically designed to target macOS users by infiltrating Apple Xcode projects. First identified by Trend Micro in August 2020, XCSSET has evolved over the years, adapting to newer macOS versions and Apple’s M1 chipsets. Its capabilities include targeting digital wallets, extracting data from the Notes app, and exfiltrating sensitive system information and files.
Recent Developments
According to the Microsoft Threat Intelligence team, the new variant of XCSSET incorporates several enhanced features that complicate analysis and detection efforts. Notably, the malware now employs improved obfuscation methods, making it more challenging for security professionals to dissect its operations. Additionally, the malware has been designed to ensure it launches with every new shell session, thereby increasing its persistence on infected systems.
Innovative Persistence Mechanisms
One of the novel techniques employed by this variant involves downloading a signed dockutil utility from a command-and-control server. This utility is used to manipulate dock items on the macOS interface. The malware creates a counterfeit Launchpad application, replacing the legitimate Launchpad’s path entry in the dock. As a result, every time the Launchpad is accessed, both the authentic application and the malicious payload are executed, further entrenching the malware’s presence.
Historical Context and Evolution
XCSSET has a history of adapting to exploit vulnerabilities within macOS. In mid-2021, it was reported to exfiltrate data from various applications, including Google Chrome, Telegram, and Apple’s first-party apps. Additionally, it exploited a zero-day vulnerability (CVE-2021-30713) to capture screenshots without requiring user permissions. The malware has continued to evolve, with updates that support newer macOS versions, including Monterey.
