Digital Event Horizon
Microsoft has detected new variants of XCSSET, a powerful macOS malware that has been targeting Mac users since 2020. The updated variants have enhanced persistence methods, improved obfuscation techniques, and introduced new infection methods. To stay safe, developers should inspect all Xcode projects and monitor their systems for signs of infection. This evolving threat landscape highlights the need for continued vigilance in cybersecurity.
The XCSSET macOS malware family has recently updated its tactics, becoming more sophisticated than ever. The new variants use enhanced persistence methods and improved obfuscation techniques to evade detection by security software. A new method creates a file named ~/.zshrc_aliases to launch the malicious payload every time a new shell session is initiated. Another method involves creating a fake Launchpad app to replace the legitimate Launchpad path entry and start the malicious payload each time it's launched. The malware has introduced enhanced infection methods, including options like TARGET, RULE, or FORCED_STRATEGY to choose when to trigger its payload. A new method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a later phase. The XCSSET malware family now uses significantly more randomized approaches for generating payloads, making spotting the malicious code harder. Microsoft Defender for Endpoint on Mac detects this new variant, but file hashes or indicators of compromise have not been released. Users can reduce the risk of being affected by this threat landscape by inspecting all Xcode projects downloaded or cloned from repositories and monitoring their systems for signs of infection.
Microsoft has warned that the powerful XCSSET macOS malware family, which has been targeting Mac users since 2020, has recently updated its tactics and is now more sophisticated than ever. The new variants of this malware have introduced enhanced persistence methods, allowing it to remain infected on compromised devices for an extended period. These updates also include improved obfuscation techniques, making it even harder for security software to detect the malicious code.
According to Microsoft, one new method used by the XCSSET variant creates a file named ~/.zshrc_aliases that contains the malicious payload. This file is then appended with a command in the ~/.zshrc file, ensuring that the created file is launched every time a new shell session is initiated. Another method involves creating a fake Launchpad app and replacing the legitimate Launchpad path entry with the path for the new one, thereby starting the malicious payload each time Launchpad is started from the macOS dock.
The XCSSET malware family has also introduced enhanced infection methods, including the ability to choose options such as TARGET, RULE, or FORCED_STRATEGY when the XCSSET will trigger its payload. Additionally, a new method involves placing the payload inside the TARGET_DEVICE_FAMILY key under build settings and running it at a later phase. These enhancements make it even more challenging for security software to detect and mitigate the malware.
Furthermore, Microsoft has detected an enhanced obfuscation method in the form of a significantly more randomized approach for generating payloads to infect Xcode projects. This increased randomization makes spotting the malicious code much harder. The new XCSSET variant also Base64-encodes the module names it creates, further complicating detection efforts.
The XCSSET malware has been identified as part of multiple modules that collect and exfiltrate sensitive data from infected devices. Microsoft Defender for Endpoint on Mac now detects this new variant, and other malware detection engines are likely to follow suit soon. However, Microsoft did not release file hashes or indicators of compromise, which would enable users to determine if they have been targeted.
To avoid falling prey to these new variants, Microsoft advises developers to inspect all Xcode projects downloaded or cloned from repositories. Since sharing these projects is a common practice among developers, the malware exploits this trust to spread. By taking proactive measures and monitoring their systems for signs of infection, users can reduce the risk of being affected by this evolving threat landscape.
Related Information:
https://arstechnica.com/security/2025/02/microsoft-warns-that-the-powerful-xcsset-macos-malware-is-back-with-new-tricks/
https://www.csoonline.com/article/3826783/xcsset-macos-malware-reappears-with-new-attack-strategies-microsoft-sounds-alarm.html
Published: Tue Feb 18 16:36:04 2025 by llama3.2 3B Q4_K_M
