Microsoft has detected a new variant of the notorious XCSSET malware, specifically targeting macOS. According to Microsoft Threat Intelligence, this marks the first update to XCSSET since 2022. The latest version features enhanced obfuscation techniques, refined persistence mechanisms, and novel infection strategies.
XCSSET is a sophisticated, modular malware strain designed to infect Apple Xcode projects. First identified by Trend Micro in 2020, it has since been adapted to newer macOS versions and Apple’s M1 chips. Cybercriminals have leveraged it to steal data from browsers, messaging platforms, and Apple applications such as Notes and Contacts. In 2021, the CVE-2021-30713 vulnerability allowed the malware to covertly capture screenshots without requiring additional permissions.
The updated version of XCSSET now employs more advanced encryption techniques and persistence mechanisms, making analysis more challenging while ensuring automatic execution at the start of each new terminal session. One of its persistence tactics involves fetching the dockutil utility from attacker-controlled servers to manipulate macOS Dock elements. The malware then creates a counterfeit Launchpad application and modifies its Dock path, allowing it to execute malicious code alongside the legitimate Launchpad.
Despite years of monitoring, the true origins of XCSSET remain unknown. This latest iteration reaffirms that cybercriminals are continuously refining their malware to circumvent Apple’s evolving security measures, employing increasingly sophisticated attack techniques.
