Pierluigi Paganini
February 18, 2025
Microsoft Threat Intelligence discovered a new variant of the macOS malware XCSSET in attacks in the wild. XCSSET is a sophisticated modular macOS malware that targets users by infecting Xcode projects, it has been active since at least 2022. Microsoft observed that the malware was employed in limited attacks.
The latest variant of the XCSSET malware supports enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.
“The new XCSSET variant uses a significantly more randomized approach for generating payloads to infect Xcode projects. Both its encoding technique and number of encoding iterations are randomized. In addition, while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64.” reads the message published by the Microsoft Threat Intelligence team said on X. “At its code level, the variant’s module names are also obfuscated, making it more challenging to determine the modules’ intent.”
The new variant of the malware uses two methods for persistence: the “zshrc” method, where it creates a file to launch on new shell sessions, and the “dock” method, where it downloads a tool to replace a legitimate Launchpad app with a fake one, executing both the app and malware.
The new XCSSET variant introduces multiple methods for placing its payload in a target Xcode project, including TARGET, RULE, FORCED_STRATEGY, and placing it within the TARGET_DEVICE_FAMILY key to execute at a later phase.
“Microsoft Defender for Endpoint on Mac detects XCSSET, including this latest variant. Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects.” concludes Microsoft. “They should also only install apps from trusted sources, such as a software platform’s official app store.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, macOS malware XCSSET)
