A new version of a well-known macOS malware called XCSSET has been discovered by cybersecurity researchers. This updated variant of XCSSET has been observed in limited attacks and includes several significant changes. It now has updated browser targeting, clipboard hijacking, and new persistence mechanisms. The new malware uses advanced encryption and obfuscation techniques, and it runs stealthily with run-only compiled AppleScripts. The updated version also expands its data theft capabilities to include data from Firefox.
The XCSSET malware is highly sophisticated and modular, designed to infect Xcode projects used by software developers. Once infected, the malicious capabilities of the malware are unleashed when the Xcode project is built. While the exact distribution method is not clear, it’s suspected that the malware spreads through Xcode project files shared among developers building apps for macOS. In March, Microsoft uncovered several enhancements to the malware, including improved error handling and the use of three different persistence techniques to steal sensitive data from compromised computers.
The latest version of XCSSET includes a new clipper sub-module. This module monitors the clipboard for specific patterns that match various cryptocurrency wallets. When a match is found, the malware replaces the legitimate wallet address in the clipboard with an address controlled by the attacker. This allows the attacker to redirect cryptocurrency transactions to their own wallet. This new feature highlights the evolving nature of the malware and its focus on financial gain.
In addition to the new clipper sub-module, the new version of XCSSET also changes the fourth stage of its infection chain. In this stage, an AppleScript application is used to run a shell command. This command fetches a final-stage AppleScript, which is responsible for collecting system information and launching various sub-modules using a boot() function. These changes make the malware more effective at its tasks and harder to detect.
The discovery of this new XCSSET variant shows how malware constantly evolves. Developers and users of macOS should be aware of this threat and take steps to protect themselves. This includes being careful when sharing and downloading Xcode projects and keeping their systems and software updated. Continuous vigilance and awareness are key to combating these types of sophisticated cyber threats.
Reference:
