New XCSSET Variant Targets macOS with Advanced Evasion Techniques
Microsoft has identified a new variant of the XCSSET macOS malware, marking its first major update since 2022. This latest version includes enhanced obfuscation, updated persistence methods, and refined infection techniques, according to a statement from the Microsoft Threat Intelligence team on X.
Microsoft has identified a new variant of the XCSSET macOS malware, marking its first major update since 2022. This latest version includes enhanced obfuscation, updated persistence methods, and refined infection techniques, according to a statement from the Microsoft Threat Intelligence team on X.
???? Key Enhancements in the New XCSSET Variant:
✔ Stronger obfuscation to evade detection
✔ New persistence mechanisms to ensure continued execution
✔ Expanded infection strategies targeting macOS users
A History of Adaptation
XCSSET, a modular macOS malware, was first documented by Trend Micro in August 2020. Known for infecting Apple Xcode projects, it has since evolved to compromise newer macOS versions and even target Apple’s M1 chipsets.
In mid-2021, updates allowed it to steal data from Google Chrome, Telegram, Evernote, Opera, Skype, WeChat, and Apple’s first-party apps like Contacts and Notes. Around the same time, cybersecurity firm Jamf revealed that XCSSET exploited CVE-2021-30713, a Transparency, Consent, and Control (TCC) bypass bug, to take screenshots of users’ desktops without permission.
Over a year later, the malware adapted to macOS Monterey, demonstrating its resilience and evolution. However, its exact origins remain unknown.
New Evasion and Persistence Tactics
The latest variant features improved evasion techniques, making it harder to analyze and detect. A key persistence strategy involves downloading a signed dockutil utility from a command-and-control (C2) server to manage dock items.
???? How It Works:
✔ XCSSET creates a fake Launchpad application
✔ It then replaces the legitimate Launchpad’s dock entry with the fake version
✔ When users click Launchpad from the dock, both the real app and the malicious payload execute simultaneously
This stealthy approach ensures the malware launches every time a new shell session starts, reinforcing its long-term persistence on infected devices.
MacOS Users at Risk
With its continuous evolution and advanced stealth techniques, XCSSET remains a significant threat to macOS users, developers, and businesses. Security experts urge users to stay vigilant, monitor app permissions, and keep macOS updated to mitigate risks.
