Microsoft warns that the powerful XCSSET macOS malware is back with new tricks – Ars Technica
Malware Detected Warning Screen with abstract binary code 3d digital concept
XCSSET has been targeting Mac users since 2020.
Microsoft said it has detected a new variant of XCSSET, a powerful macOS malware family that has targeted developers and users since at least 2020.The variant, which Microsoft reported Monday, marked the first publicly known update to the malware since 2022. The malware first came to light in 2020, when security firm Trend Micro said it had targeted app developers after spreading through a publicly available project the attacker wrote for Xcode, a developer tool Apple makes freely available. The malware gained immediate attention because it exploited what, at the time, were two zero-day vulnerabilities, a testament to the resourcefulness of the entity behind the attacks.In 2021, XCSSET surfaced again, first when it was used to backdoor developers’ devices and a few months later when researchers found it exploiting what at the time was a new zero-day.Microsoft said it has detected the new variant in limited attacks so far. Improvements in it include:“These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files,” Microsoft wrote. XCSSET contains multiple modules for collecting and exfiltrating sensitive data from infected devices.Microsoft Defender for Endpoint on Mac now detects the new XCSSET variant, and it’s likely other malware detection engines will soon, if not already. Unfortunately, Microsoft didn’t release file hashes or other indicators of compromise that people can use to determine if they have been targeted. A Microsoft spokesperson said these indicators will be released in a future blog post.To avoid falling prey to new variants, Microsoft said developers should inspect all Xcode projects downloaded or cloned from repositories. The sharing of these projects is routine among developers. XCSSET exploits the trust developers have by spreading through malicious projects created by the attackers.Ars Technica has been separating the signal from
the noise for over 25 years. With our unique combination of
technical savvy and wide-ranging interest in the technological arts
and sciences, Ars is the trusted source in a sea of information. After
all, you don’t need to know everything, only what’s important.
