Microsoft has recently uncovered a new variant of the notorious XCSET malware, targeting MacOS systems. According to Microsoft Threat Intelligence, this marks the first update to XCSET since 2022. This new version is noted for its enhanced obfuscation techniques, updated mechanisms for system persistence, and new infection methods.
XCSET is a sophisticated modular malware strain that primarily infects Apple Xcode projects. It was first identified in 2020 by Trend Micro researchers. Subsequently, cybercriminals have tailored XCSET to work with newer MacOS versions and Apple M1 chips. This malware has been utilized to steal sensitive information from web browsers, messaging apps, and various Apple applications, such as notes and contacts. In 2021, a vulnerability (CVE-2021-30713) allowed the malware to take screenshots without requiring additional user permissions.
The latest iteration of XCSET now employs more intricate encryption methods and techniques to bolster system persistence, making analysis more challenging and ensuring automatic startup during each terminal session. One such technique involves the downloading of the Dockutil utility from attacker-controlled servers to manipulate elements of the macOS Dock. Additionally, the malware creates a counterfeit Launchpad application and modifies its path in the Dock to execute malicious code alongside the genuine Launchpad.
Despite years of monitoring XCSET, its original source remains a mystery. The emergence of this new version underscores cybercriminals’ ongoing efforts to adapt their malicious tools to bypass modern Apple security measures using increasingly sophisticated attack strategies.