Microsoft Threat Intelligence presents a technical analysis of the latest XCSSET malware variant targeting macOS developers via Xcode projects. Authored by the Microsoft Threat Intelligence team, this deep-dive highlights infection stages, persistence, and defense tactics.

Latest XCSSET Malware Variant: Technical Deep Dive and Mitigation Guidance

Author: Microsoft Threat Intelligence

Microsoft Threat Intelligence has identified a new XCSSET malware variant that targets Xcode projects, thereby impacting developers working on Apple/macOS applications. This technical analysis outlines the new modules, updated infection mechanisms, and recommends practical mitigation strategies for defenders.

Overview

  • Threat: Evolving variant of XCSSET malware
  • Target: Xcode project files (macOS dev environments)
  • Key Updates: Enhanced browser targeting, persistent mechanisms, encryption/obfuscation, and clipboard/data theft

Infection Chain

  • Four Main Stages:
    1. Initial access via infected Xcode projects
    2. Multi-phase execution to deploy malware components
    3. Downloader and loader logic
    4. Expanded functionality in the fourth-stage boot() script for module execution

Detailed screenshots and code fragments for each phase highlight technical changes versus previous versions.

Technical Analysis

Major Module Changes

1. Browser and Clipboard Targeting:

  • Detects and exfiltrates Firefox data (incl. passwords and cookies), with new checks in boot()
  • Clipboard monitoring for digital wallet addresses, auto-replacing content when specific regex patterns are detected

2. Data Exfiltration and Persistence:

  • Adds run-only compiled AppleScript payloads for stealth
  • Uses AES encryption and Base64 encoding for C2 communication
  • Sets up LaunchDaemon entries for persistence, disables certain Apple software update features
  • Deploys fake applications to masquerade its activities
  • Git-based persistence logic now encapsulated in shell functions for obfuscation

3. Info-Stealer Enhancements:

  • Downloads a Mach-O binary (modified HackBrowserData project) to target Firefox profile data
  • Uploads ZIP archives with stolen data
  • Expanded target lists and regex patterns for various wallet types

Indicators of Compromise

  • Domain IOCs (e.g. cdntor[.]ru, checkcdn[.]ru)
  • SHA-256 hashes for key payloads
  • Audit /tmp directory and LaunchDaemon files for suspicious entries

Mitigation and Protection Guidance

  • Update operating systems and apply security patches promptly
  • Inspect Xcode projects—only use trusted sources and verify files before building
  • Cautiously handle clipboard data, especially wallet addresses and sensitive information
  • Use browsers with Microsoft Defender SmartScreen for enhanced phishing/malware protection
  • Deploy Microsoft Defender for Endpoint on Mac for AV and behavioral detection
  • Enable cloud-delivered protection, sample submission, PUA protection, and network protection features in Microsoft Defender

Detection and Hunting

  • Microsoft Defender XDR detections for various observed malicious behaviors (Trojan, suspicious scripts, LaunchDaemon changes, etc.)
  • Included Kusto Query Language (KQL) hunting queries to:
    • Detect suspicious shell commands and persistence actions
    • Identify malicious app creation in temp locations
    • Catch exfiltration logic and domain IOC communication
  • Microsoft Sentinel users can map detected domains and indicators using TI analytics, with sample ASIM queries provided

References and Resources

For threat intelligence research updates, see the Microsoft Threat Intelligence Blog or follow on LinkedIn.

This post appeared first on “Microsoft Security Blog”. Read the entire article here