A sophisticated new variant of the XCSSET macOS malware has been detected in targeted attacks, marking its first significant update since 2022. Microsoft’s Threat Intelligence team has identified this evolved threat, which primarily targets users’ sensitive information, including digital wallets and Notes app data.

Key Improvements in the New Variant:
– Enhanced code obfuscation using Base64 and xxd encoding
– Improved persistence mechanisms through zshrc and dock methods
– Advanced Xcode infection strategies utilizing TARGET, RULE, and FORCED_STRATEGY options

Infection Methods and Persistence:
The malware spreads through infected Xcode projects and employs two main persistence techniques:
1. zshrc Method: Creates ~/.zshrc_aliases file containing malicious payload
2. Dock Method: Uses signed dockutil tool to manage dock items and create fake Launchpad applications

Target Data:
XCSSET’s modules focus on extracting:
– Login credentials
– Chat application data
– Browser information
– Notes app content
– Digital wallet details
– System information and files

Security Implications:
The malware’s sophistication is evidenced by its previous exploitation of an Apple zero-day vulnerability in 2021. Microsoft advises developers to carefully verify Xcode projects and codebases, particularly those from unofficial repositories, to prevent infection.

This latest evolution of XCSSET, active for five years, represents a significant advancement in macOS malware capabilities and poses a serious threat to Apple’s development ecosystem.