Full Report
In a report released on Monday, threat intelligence specialists at Microsoft said that they have discovered the new XCSSET strain in limited attacks. XCSSET, first spotted in the wild in August 2020, spreads by infecting Xcode projects, which developers use to create apps for Apple devices.
Analysis Summary
# XCSSET Variant Discovery and Attack Analysis
This summary focuses on the discovery of an updated variant of the XCSSET malware, as reported by Microsoft threat intelligence specialists.
## Key Points
- A new strain of XCSSET malware was discovered active in limited attacks.
- XCSSET was initially observed in August 2020.
- The malware specifically targets **Xcode projects**, which are used by developers to create applications for Apple devices.
- The new variant features updated capabilities designed to **evade detection** and **persist** within victim networks.
- Malicious functionalities mirror the older version, focusing on stealing **digital wallet** information, exfiltrating data from the **Notes app**, and stealing **system information and files**.
## Threat Actors
- Attribution for the newly discovered variant is **not specified** in the provided context.
- Previous similar attacks have been linked by security experts to **state-sponsored hackers from North Korea**, though this specific link is not confirmed for this latest variant.
## TTPs
- **Initial Access/Propagation:** Spreads by **infecting Xcode projects** downloaded or cloned from repositories.
- **Defense Evasion:** The new variant includes updated features designed to **evade detection**.
- **Persistence:** The malware is designed to **persist within the victim’s network**.
- **Actions on Objectives:** Stealing cryptocurrency/digital wallet data, data exfiltration (Notes app data, system information, files).
## Affected Systems
- **Operating System:** macOS systems (implied, as Xcode is used for Apple device app development).
- **Target Software:** **Xcode projects** (used by developers).
- **Data Targets:** Digital wallets, Notes application data, system files.
## Mitigations
- **Source Verification:** Users **must inspect and verify any Xcode projects** downloaded or cloned from repositories.
- **Trusted Sources:** Users should **only install applications from trusted sources**, such as an official app store platform.
## Conclusion
The emergence of an updated XCSSET variant underscores a persistent threat to the macOS development ecosystem, potentially leading to cryptocurrency theft and significant data loss for developers. Developers relying on external source repositories for Xcode projects must adhere strictly to verification protocols to prevent initial infection.