- Microsoft warns of new version of XCSSET InfoSteals
- It comes with new blur, infection and persist techniques
- Experts warn all users to be careful
Microsoft says it has seen a new tribe of an old macOS malware variant, one that comes with better clearing techniques, more persistence and new infection mechanisms.
In a map X -In -Post Detailed Microsoft Discovering a new version of XCSSET, which it describes as a “sophisticated modular macOS malware” that is targeted at users through infected Xcode projects.
Xcode is Apple’s official integrated development environment (idea) for creating apps on macos, iOS, iPados, Watchos and Tvos. It includes a code editor, debugger, interface builder and tools for testing and implementing apps.
Limited attacks
In essence, XCSSET is an infoTeal. It is capable of dragging system information and files, stealing digital wallet data and grabbing information from the Official Notes app. Its latest iteration comes after more than two years of being sleeping and seems to make significant improvements.
To better hide itself, XCSSET now uses a “significantly more randomized” approach to generating payload to infect Xcode projects, Microsoft explained. For Persistence, XCSSET now uses two techniques, called “ZSHRC” and “Dock”. In the first, Malware creates a file named ~/.zshrc_aliases containing the payload. It then adds a command in the ~/.ZSHRC file to make sure the created file is launched every time a new Shell session begins.
In the second, Malware downloads a signed dockutil tool from a command-and-control server to manage dock objects. It then creates a fake launchpad app and replaces the legitimate one’s post in doc. That way, when the victim runs the launch space from the dock, both the legitimate app and malware are performed.
As for infection, XCSSET now comes with new methods for where the payload is located in the Xcode project.
Microsoft said that at this point it only sees the new variant in “limited attacks” but wanted to sound the alarm on time so users and organizations can protect themselves.
“Users must always inspect and verify any Xcode projects that have been downloaded or cloned from warehouses, as malware usually spreads through infected projects,” the company concluded. “They also need to install only apps from trusted sources, such as a software platform’s official App Store.”
