Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections and data theft.
Cybersecurity researchers at Microsoft Threat Intelligence have identified a new strain of the XCSSET malware targeting macOS users. This modular malware focuses on attacking Apple developers by infecting Xcode projects, tools necessary for building applications on the macOS platform.
While the current spread of this updated version appears limited, experts are urging developers and organizations to implement precautionary measures to safeguard their systems.
What is XCSSET?
XCSSET was first identified by Trend Micro in 2020. It has since gained a reputation as a sneaky piece of malware. This latest version builds upon its predecessor’s capabilities with major improvements in its design, making it even harder to detect and defend against.
According to Microsoft’s findings, the new variant comes equipped with advanced obfuscation techniques, more sophisticated persistence mechanisms, and updated methods for infecting systems. These upgrades make XCSSET a persistent and stealthy threat that can carry out a mix of different malicious activities, including targeting digital wallets, stealing data from the Notes app, stealing sensitive system information, and exfiltrating files.
Harder to Detect
One of the main capabilities of this new XCSSET variant is its focus on evasion. To avoid detection by anti-virus and other security tools, the malware generates its payloads in a highly randomized manner. It randomizes both the encoding process and the number of iterations used, creating challenges for researchers attempting to analyze the code.
What’s more, older versions of XCSSET relied on a single tool, xxd (hexdump), for encoding its payloads. The latest version, however, adds Base64 encoding to its arsenal, further complicating analysis efforts. Even the names of the malware’s modules have been obfuscated, making it difficult to discern their purpose or function within the code.
Harder to Remove
The new XCSSET variant employs two innovative methods to ensure it remains active on infected systems, even after a reboot or user logout.
- “zshrc” Method: This tactic involves creating a hidden file called
~/.zshrc_aliasesto house the malicious payload. The malware then manipulates the~/.zshrcconfiguration file, adding a command that automatically loads the malicious file whenever a new shell session starts. This means that every time a user opens their terminal, the malware activates in the background. - “Dock” Method: This approach hijacks the macOS Dock. The malware downloads a signed utility called “dockutil” from a remote command-and-control server to modify Dock items. It replaces the legitimate “Launchpad” app with a malicious version, ensuring that the malware executes every time the user interacts with the Dock.
Targeting Xcode Projects
As its name suggests, XCSSET primarily targets Xcode, Apple’s powerful integrated development environment (IDE) for macOS. The malware infiltrates Xcode projects using one of three placement strategies: TARGET, RULE, or FORCED_STRATEGY. These strategies determine how and where the malicious payload is embedded within the project files.
Additionally, the malware can target the TARGET_DEVICE_FAMILY key within the project’s build settings. By inserting its code here, XCSSET ensures that the payload only activates when the app is built and run on specific devices, evading detection during development or testing phases.
Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information… pic.twitter.com/oWfsIKxBzB
— Microsoft Threat Intelligence (@MsftSecIntel) February 17, 2025
How to Protect Yourself
If you are an Apple developer or a macOS user in general, here are some simple yet vital tips to protect your devices from XCSSET malware:
- Inspect Xcode Projects: Always review and verify Xcode projects, especially if they are downloaded from external repositories or shared by third parties.
- Stick to Trusted Sources: Download apps and tools exclusively from official Apple channels or reputable software platforms. Avoid third-party app stores or unofficial downloads.
- Keep Up with the Updates: Keep up-to-date with the latest security advisories from Microsoft, Apple, and other cybersecurity organizations.
