A new variant of the XCSSET malware targeting macOS systems has been identified by Microsoft Threat Intelligence. This updated version, detected in limited attacks, introduces several advanced features aimed at enhancing its capabilities, particularly with browser targeting, clipboard hijacking, and improved persistence mechanisms.
XCSSET is recognized as a modular malware designed to steal information and cryptocurrencies, with the ability to extract data from Notes and various cryptocurrency wallets, as well as browser histories from affected devices. Its propagation relies on detecting and infecting Xcode projects, which are commonly utilized by software developers. The malware executes during the building of infected projects, capitalizing on the collaborative nature of development work for Apple or macOS applications.
Microsoft’s analysis reveals significant updates in the new malware variant, especially in its data theft strategies. It now includes functionality to extract data from Firefox by utilizing a modified version of the open-source HackBrowserData tool. This enhancement allows the malware to decrypt and export valuable browser data stored by users.
Furthermore, the malware has evolved its clipboard hijacking capabilities. The update allows it to monitor the macOS clipboard for cryptocurrency address patterns. When it detects such an address, the malware seamlessly replaces it with one controlled by the attackers. Consequently, any cryptocurrency transactions initiated by the user on an infected device could be redirected to the attackers, potentially leading to significant financial losses.
In its quest for persistence, the new variant utilizes advanced techniques, such as creating LaunchDaemon entries that trigger a hidden payload and establishing a counterfeit System Settings.app in the /tmp directory. This deceptive maneuver aims to mask its malicious activities from users and security scrutiny.
Currently, this variant has not been widespread; Microsoft reports that its presence has only been noted in a handful of attacks. Researchers have promptly communicated their findings to Apple and are collaborating with GitHub to eliminate any associated repositories that may harbor the malware.
To mitigate risks associated with XCSSET and similar threats, users are urged to maintain updated versions of macOS and its applications. Microsoft emphasizes the importance of vigilance for developers, who should thoroughly inspect Xcode projects shared with them before proceeding with any builds, particularly as XCSSET has previously leveraged both zero-day vulnerabilities and other exploits in its operations.
