Microsoft Sounds Alarm on macOS Malware Stealing Crypto Assets

Introduction

A new and more advanced variant of the XCSSET macOS modular malware has surfaced, marking a significant development in its evolution. This malware, which primarily targets Apple users, has been active for at least five years. The latest improvements indicate a renewed focus on enhancing its capabilities for data theft, particularly targeting sensitive information such as digital wallets and data from the Notes application.

Discovered by Microsoft's Threat Intelligence team, this updated variant boasts better persistence mechanisms, improved code obfuscation, and innovative infection strategies, making it a more formidable threat. This article delves into the new XCSSET variant, its impact, infection techniques, persistence mechanisms, and security recommendations for macOS users.

Background on XCSSET Malware

First discovered in 2020, XCSSET is a unique malware family that primarily spreads through compromised Xcode projects. Xcode is Apple's official integrated development environment (IDE) for macOS, iOS, watchOS, and tvOS application development. The malware infiltrates developers' systems by injecting malicious payloads into Xcode projects, which then propagate to others when the infected project is shared.

Historically, XCSSET has demonstrated remarkable adaptability, utilizing various techniques to bypass Apple's security measures, steal credentials, exfiltrate sensitive data, and even exploit macOS zero-day vulnerabilities. One of its most infamous attacks was in 2021 when it exploited a zero-day vulnerability in Safari, allowing it to steal cookies and bypass authentication.

The latest variant of XCSSET represents the first major update since 2022 and introduces sophisticated techniques to evade detection, improve persistence, and expand its attack surface.

New XCSSET Variant: What's Different?

Microsoft's latest research highlights several enhancements in this new variant, making it significantly more difficult to detect and analyze. The key improvements include:

1. Enhanced Obfuscation Techniques

One of the most notable changes in this variant is its advanced obfuscation strategy. The malware now employs encoding techniques using both Base64 and xxd (hexdump), with varying levels of iteration. This makes it harder for security researchers to reverse-engineer and analyze the code's intent.

Additionally, module names within the malware are now obfuscated, making it more challenging to determine their functionality through static analysis. This level of obfuscation demonstrates the malware developer's sophistication and their attempt to evade modern security tools.

2. Improved Persistence Mechanisms

Persistence is a crucial factor for malware survival. The new XCSSET variant employs two primary persistence techniques:

zshrc Method: This method involves creating a file named ~/.zshrc_aliases, which contains the malicious payload. A command is then appended to the ~/.zshrc file, ensuring that the payload is executed every time a new shell session starts.

Dock Method: The malware downloads a signed version of the dockutil tool from its command-and-control (C2) server, enabling it to manipulate macOS dock items. It then creates a fake Launchpad application containing the malicious payload while pointing the legitimate app's path to this fake one. As a result, launching the app from the dock unknowingly executes both the real application and the malware.

3. New Xcode Infection Methods

The malware has expanded its infection strategy by leveraging different Xcode project settings, including:

Using TARGET, RULE, or FORCED_STRATEGY options to embed the payload in an Xcode project.

Modifying the TARGET_DEVICE_FAMILY key within the project's build settings, ensuring the payload is executed at a later stage.

This approach allows the malware to remain hidden while waiting for an opportunity to execute, increasing the likelihood of widespread infection among developers and end-users.

4. Data Theft and Exfiltration

Like its predecessors, the new XCSSET variant is designed to exfiltrate a wide range of sensitive information. Some of the targeted data includes:

Login Credentials: The malware can steal login credentials stored in browsers and keychains.

Digital Wallets: Cryptocurrency wallets are prime targets, as attackers seek to drain funds from compromised accounts.

Notes App Data: Users often store sensitive information, including passwords and personal notes, within Apple's Notes app.

Chat Applications: The malware can extract messages and authentication tokens from popular macOS chat applications.

System Information and Files: XCSSET scans for valuable files and system configurations that may aid in further attacks.

How XCSSET Spreads

XCSSET relies on compromised Xcode projects to propagate. Here's how it typically spreads:

Developer Downloads a Compromised Xcode Project: The malware is embedded within an Xcode project shared through public repositories or third-party sites.

Developer Builds the Project: Once built, the malicious payload executes and infects the system.

Persistence is Established: The malware sets up persistence mechanisms to survive system reboots.

Data Collection and Exfiltration: The malware starts scanning the system for valuable data and sends it to the attacker's C2 server.

Further Infection: If the infected project is shared with other developers, the malware spreads to new victims.

This infection method is particularly dangerous because developers often trust open-source code repositories and may unknowingly introduce malware into their projects.

Mitigation Strategies and Security Recommendations

Given the sophisticated nature of this malware, macOS users - especially developers - should adopt strong security measures to prevent infection.

1. Verify Xcode Projects

Only download Xcode projects from trusted sources.

Before building a project, inspect its files and scripts for any unusual or suspicious code.

Use a sandbox environment to test new projects before executing them on your main system.

2. Monitor System Behavior

Be vigilant about new applications appearing in your Launchpad or dock.

Check for unusual entries in ~/.zshrc or other startup scripts.

Regularly review installed applications and running processes for anomalies.

3. Keep macOS and Security Software Updated

Ensure that macOS and Xcode are updated to the latest versions.

Use reputable antivirus software to detect and block potential threats.

Enable System Integrity Protection (SIP) to prevent unauthorized modifications.

4. Avoid Running Untrusted Scripts

Be cautious when running shell scripts or executing commands provided by third parties.

Verify the integrity of downloaded software by checking hashes and digital signatures.

5. Implement Strong Authentication

Use two-factor authentication (2FA) for accounts and password managers.

Store sensitive information in encrypted formats rather than plaintext notes.

Conclusion

The resurgence of XCSSET with enhanced capabilities underscores the evolving threat landscape for macOS users. By improving obfuscation, persistence, and infection techniques, the malware's operators have made it more difficult to detect and mitigate.

Given the increasing reliance on Xcode and open-source projects, developers must remain cautious when integrating external code into their workflows. By following security best practices and maintaining vigilance, users can reduce the risk of falling victim to this advanced malware variant.