Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a highly sophisticated modular macOS malware variant that injects malicious code into Xcode projects. Xcode is Apple’s integrated development environment (IDE) for macOS, which developers use to build software for iOS, macOS, and other applications within Apple’s ecosystem.
XCSSET was designed to exploit software developers’ file-sharing practices and uses advanced features to steal and exfiltrate files and user information, such as digital wallet data and notes. “The new XCSSET macOS variant represents a serious threat to Apple developers, especially with its enhanced ability to hide within Xcode projects and spread when those projects are shared between teams,” said J Stephen Kowski, Field CTO at SlashNext.
New Enhancements in XCSSET
XCSSET was first detected in 2020, yet this is the first new variant identified since 2022. While it maintains some of the older characteristics, this new XCSSET variant now includes several new enhancements that make it even more sinister.
Enhanced obfuscation techniques
The new XCSSET variant obfuscates module names at the code level, making it difficult to determine modules’ intent during normal static analysis. These methods now extend to XCSSET’s randomized approach to generating payloads to infect Xcode projects. Previous XCSSET variants only used xxd (hex dump) for encoding, yet this new version also incorporates Base64, which makes it harder to analyze and reverse engineer.
Modular design
XCSSET’s modular design allows it to execute targeted malicious functions while maintaining flexibility and stealth. Its payloads are encoded and compartmentalized, enabling attackers to update or swap modules without altering the core malware. It also uses scripting languages, UNIX commands, and legitimate system binaries to further evade detection – and even remain fileless whenever possible – and enhance its persistence on infected macOS systems.
Advanced persistence methods
XCSSET also employs three different advanced persistence techniques, which ensure its payload launches whenever a new shell session is launched, a user opens a fake Launchpad application, or triggers during Git commit actions. Further, Microsoft’s analysis found that some of the modules in the new variant’s code appear to be under development while its command-and-control (C2) infrastructure is live and distributing additional malicious modules.
These enhancements make it extremely difficult for organizations to detect and protect themselves from this emerging threat posed by XCSSET.
Supply Chain Implications
The discovery is yet another example of the growing sophistication of macOS threats and the critical need for software developers' vigilance.
“We’ve seen an uptick in the number of sophisticated attacks against macOS systems, and this XCSSET malware is the latest example,” said Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a provider of application security solutions. “The techniques seen in this malware show that developers spent a considerable amount of time researching ways to remain undetected.”
Kowski agreed and described XCSSET’s implications for the software supply chain. “This sophisticated attack targets the software supply chain at its source, potentially compromising apps before they’re even built.”
His point was echoed by Adam McKissock, Principal Security Consultant at Black Duck. “Given the ever-increasing complexity of managing modern software application development, it stands to reason that the software development process itself becomes a more common attack vector,” he said. “Malware that targets the software build process poses not only a risk to the individual software packages in question but also introduces the potential for software supply chain attacks when code is used for other applications or when files are shared between multiple vendors.”
Experts’ Recommendations for Mitigation and Defense
The new XCSSET variant makes it clear that macOS users can no longer rely on the platform’s built-in security alone. As the malware continues to evolve to further evade detection, more proactive measures are necessary to mitigate the risk of infection.
“Gone are the days where macOS users could operate without installing antivirus or EDR software,” said Black Duck’s Richards. “To prevent these attacks from spreading, users of Xcode should make sure their endpoint protection software is up to date and runs scans to determine if they’ve been infected or not.”
Further, Kowski recommends real-time code scanning and advanced threat detection tools that can identify suspicious behaviors in development environments since “they are essential for protecting against these types of attacks.”
Staying Ahead of Emerging macOS Threats
As XCSSET continues to evolve with more sophisticated stealth and persistence techniques, macOS developers should do more to secure their development environments and processes. This new variant serves as a reminder that as attackers refine their methods, security strategies must also adapt to stay one step ahead.
