Microsoft has identified a new variant of XCSSET, a notorious macOS malware family that has been targeting developers and users since 2020. This marks the first public update to the malware since 2022, showing that the attackers behind it are still actively evolving their tactics.
Background on XCSSET
XCSSET first gained attention in 2020, when Trend Micro discovered that it was spreading through malicious Xcode projects—Apple’s free development tool. The malware stood out because it exploited two zero-day vulnerabilities, showcasing the attackers’ high level of sophistication.
In 2021, XCSSET resurfaced, infecting developers’ devices and later leveraging another zero-day exploit. Now, in 2024, Microsoft reports that the malware has evolved once again, featuring new persistence, infection, and obfuscation techniques.
New Features in the Latest XCSSET Variant
Microsoft detected the new variant in limited attacks so far, but its enhancements make it more difficult to detect and remove. Key updates include:
1. New Persistence Techniques (Ensuring Continuous Infection)
- Modified .zshrc files: The malware creates a hidden file (~/.zshrc_aliases) containing malicious payloads and then modifies the ~/.zshrc file to launch the malware every time a new shell session starts.
- Fake Launchpad App: The malware replaces the legitimate Launchpad entry with a malicious version, ensuring the payload runs whenever Launchpad is opened from the macOS dock.
2. Enhanced Infection Methods
- Attackers can now customize when XCSSET executes its payload, using options like TARGET, RULE, or FORCED_STRATEGY.
- Another method hides the malware inside build settings, using the TARGET_DEVICE_FAMILY key, ensuring it executes at a later stage of development.
3. Improved Obfuscation to Evade Detection
- Uses a more randomized approach to infect Xcode projects, making it harder for security tools to identify the malicious code.
- Base64 encoding of module names further complicates detection efforts.
Previous Capabilities Still Active
In addition to these new techniques, the malware retains its previous capabilities, including:
✔ Targeting digital wallets
✔ Stealing data from the Notes app
✔ Exfiltrating system files and sensitive information
How to Stay Protected
Microsoft Defender for Endpoint on Mac can now detect the new XCSSET variant, and other security solutions are expected to follow soon. However, Microsoft has not yet released specific indicators of compromise (IoCs), such as file hashes, making independent detection difficult for now.
Microsoft advises developers to:
✔ Inspect all Xcode projects before downloading or cloning from repositories.
✔ Avoid trusting shared projects blindly, as attackers exploit this trust to distribute malware.
✔ Keep security software updated to detect evolving threats.
Final Thoughts
The XCSSET malware continues to evolve, posing a growing risk to macOS developers and users. With new stealth tactics and infection methods, it remains one of the most advanced macOS threats. Developers should remain vigilant, inspect shared Xcode projects carefully, and keep security tools updated to stay protected.
