Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild.
“Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,” the Microsoft Threat Intelligence team said in a post shared on X.
“These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files.”
XCSSET is a sophisticated modular macOS malware that’s known to target users by infecting Apple Xcode projects. It was first documented by Trend Micro in August 2020.
Subsequent iterations of the malware have been found to adapt to compromise newer versions of macOS as well as Apple’s own M1 chipsets. In mid-2021, the cybersecurity company noted that XCSSET had been updated to exfiltrate data from various apps like Google Chrome, Telegram, Evernote, Opera, Skype, WeChat, and Apple first-party apps such as Contacts and Notes.
Another report from Jamf around the same time revealed the malware’s ability to exploit CVE-2021-30713, a Transparency, Consent, and Control (TCC) framework bypass bug, as a zero-day to take screenshots of the victim’s desktop without requiring additional permissions.
Then, over a year later, it was updated again to add support for macOS Monterey. As of writing, the origins of the malware remain unknown.
The latest findings from Microsoft mark the first major revision since 2022, using improved obfuscation methods and persistence mechanisms that are aimed at challenging analysis efforts and ensuring that the malware is launched every time a new shell session is initiated.
Another novel manner XCSSET sets up persistence entails downloading a signed dockutil utility from a command-and-control server to manage the dock items.
“The malware then creates a fake Launchpad application and replaces the legitimate Launchpad’s path entry in the dock with this fake one,” Microsoft said. “This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed.”
