XCSSET Malware Variant
Researchers have identified a new variant of the XCSSET macOS malware, marking its first known iteration since 2022. This updated version has been observed in limited attacks, showcasing enhanced obfuscation techniques, improved persistence mechanisms and new infection strategies. These advancements build upon XCSSET's existing capabilities, which include compromising digital wallets, extracting data from the Notes app and exfiltrating sensitive system information.
Table of Contents
A Persistent Threat Since 2020
XCSSET first came to light in August 2020 as a modular macOS threat that primarily spread by infecting Apple Xcode projects. Over time, the malware has evolved, adapting to newer macOS versions and even Apple's M1 chipsets. By mid-2021, cybersecurity researchers found that XCSSET had been modified to siphon data from various applications, including Google Chrome, Telegram, Evernote, Opera, Skype, WeChat and Apple's native applications like Contacts and Notes.
Exploiting Vulnerabilities for Surveillance
One of the more concerning aspects of XCSSET's evolution is its ability to exploit vulnerabilities to expand its reach. In 2021, researchers discovered that the malware leveraged CVE-2021-30713, a Transparency, Consent and Control (TCC) framework bypass bug. By exploiting this flaw, XCSSET could capture screenshots of the victim's desktop without needing additional permissions, demonstrating its adaptability in taking advantage of security loopholes.
Keeping Pace with macOS Updates
Even after the public exposure of its capabilities, XCSSET continued to evolve. Over a year after its 2021 update, the malware received another revision to ensure compatibility with macOS Monterey. Despite ongoing research and monitoring efforts, the origin of XCSSET remains a mystery, making it a persistent concern for macOS users.
Obfuscation and Persistence: The Latest Advancements
The latest iteration of XCSSET focuses on making detection and removal more challenging. With advanced obfuscation techniques and reinforced persistence mechanisms, the malware is designed to evade security analysis while ensuring that it remains active. One of its newest tricks includes launching automatically with every new shell session, further cementing its foothold on infected systems.
Manipulating macOS Dock for Stealthy Execution
Among the novel methods XCSSET employs for persistence is manipulating the macOS Dock. The malware downloads a signed version of the dockutil utility from a Command-and-Control server to manage Dock items. It then creates a counterfeit Launchpad application and replaces the legitimate Launchpad's path in the Dock. As a result, each time a user launches Launchpad, the legitimate application and the threatening payload are executed, allowing the malware to operate undetected.
A Continuing Threat with No Clear Origin
The re-emergence of XCSSET underscores the adaptability and resilience of macOS threats. With each new version, it refines its tactics to stay ahead of security defenses, making ongoing vigilance essential. While its origins remain unknown, one thing is clear: XCSSET continues to be a formidable challenge for cybersecurity professionals and macOS users alike.
