Apple customers should be wary of a new variant of the XCSSET macOS malware attacking users in the wild ,with updated infection and obfuscation methods, according to a warning from Microsoft.
Microsoft Threat Intelligence said the malware is the first new variant of XCSSET since 2022 and improves its ability to infect projects on Xcode – Apple’s integrated development environment (IDE) for developers.
XCSSET sprang to industry attention in August 2020 when researchers at Trend Micro spotted malicious code being injected into local Xcode projects so that when the project is built, the malicious code is run. The malware featured an extensive array of modules [pdf] even then.
“We have identified affected developers who shared their projects on GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects,” it said at the time.
"Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects" – Microsoft Threat Intelligence, February 17
Microsoft said that the upgraded XCSSET malware has only been seen in limited attacks. But it has improved its ability to hide payloads in Xcode projects and hide these from defenders. The malware already had the ability to exfiltrate data, target digital wallets and breach the Notes app.
New XCSSET malware attacking macOS
The malware uses three options - TARGET, RULE, and FORCED_STRATEGY - to choose the method for where the payload is placed in an Xcode project, with a further method placing it under build settings in the TARGET_DEVICE_FAMILY key to run at a later phase, Microsoft said today.
New obfuscation methods have also made it harder to identify an infected Xcode project thanks to a “more randomised approach” to generating payloads, with its encoding expanded to incorporate Base64 as well as xxd (hexdump). XCSSET is now also able to deploy two techniques to ensure its persistence on infected devices, including the “dock” method that uses a redirected path entry to a macOS device’s Launchpad to ensure the payload is executed every time it is opened.
The method adds to XCSSET’s history of creating fake apps to hide the execution of its payload, with the malware using fake Xcode, Mail and Notes apps in all of its variants dating back to its initial discovery in 2020.
In other Xcode news, Apple this month open-sourced Swift-build, the engine used by Xcode, which supports millions of apps in the App Store as well as the internal build process for Apple’s own operating systems.
It published this under an Apache 2.0 licence on an open source repository that also includes support for targeting Linux and Windows.
