Full Report
Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild. "Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies," the Microsoft Threat Intelligence team said in a post shared on X. "These enhanced features add to
Analysis Summary
# Tool/Technique: XCSSET Malware Variant
## Overview
XCSSET is a sophisticated, modular Apple macOS malware, known for targeting users by infecting Apple Xcode projects. A new variant, discovered by Microsoft Threat Intelligence, features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies compared to its last known version in 2022.
## Technical Details
- Type: Malware family
- Platform: macOS
- Capabilities: Infects Xcode projects for distribution, targets digital wallets, collects data from Notes app, exfiltrates system information and files, bypasses TCC framework (historically). The new variant includes enhanced obfuscation and new persistence methods.
- First Seen: First documented in August 2020. Latest variant observed as of February 2025.
## MITRE ATT&CK Mapping
* **TA0005 - Defense Evasion**
* T1027 - Obfuscated Files or Information
* **TA0003 - Persistence**
* T1547 - Boot or Logon Autostart Execution
* T1547.001 - Registry Run Keys / Startup Folder (Conceptual mapping, mechanism is specific to macOS dock/Launchpad)
* **TA0010 - Exfiltration**
* T1041 - Exfiltration Over C2 Channel (Implied for system info/files)
* **TA0001 - Initial Access**
* T1192 - Application Layer Protocol (Via infected Xcode projects)
## Functionality
### Core Capabilities
- Spreads via infected Apple Xcode projects.
- Targets digital wallets.
- Collects data from applications like Google Chrome, Telegram, Evernote, Opera, Skype, WeChat, Contacts, and Notes.
- Exfiltrates system information and files.
- Adapts to newer macOS versions and M1 chipsets.
### Advanced Features
- **Enhanced Obfuscation:** New methods implemented to challenge security analysis.
- **Updated Persistence:** A novel method involves downloading a signed `dockutil` utility from a C2 server to manipulate Dock items.
- **Fake Launchpad Execution:** Replaces the legitimate **Launchpad** path entry in the Dock with a fake one, ensuring the malicious payload executes alongside the legitimate Launchpad every time Launchpad is started from the Dock.
- **TCC Evasion (Historical/Potential):** Previously documented exploiting CVE-2021-30713 (a TCC framework bypass) to take screenshots without permission.
## Indicators of Compromise
- **File Hashes:** Not provided in the context.
- **File Names:** Not provided in the context.
- **Registry Keys:** Not applicable (macOS specific persistence mechanisms used).
- **Network Indicators:** C2 servers/domains are mentioned as sources for the signed `dockutil` utility, but specific indicators were defanged (e.g., command-and-control server).
- **Behavioral Indicators:**
- Manipulation of Dock items using `dockutil`.
- Creation of a deceptive, fake Launchpad application entry in the Dock.
- Execution when the legitimate Launchpad icon in the Dock is clicked.
## Associated Threat Actors
- The origins of the malware remain unknown as of the report.
- No specific threat actor groups were explicitly named in relation to this *new variant* in the provided text.
## Detection Methods
- **Signature-based detection:** Not specified, but signatures based on known file characteristics and C2 communication could be used.
- **Behavioral detection:** Crucial due to enhanced obfuscation; monitoring for modifications to system launch mechanisms, especially the Dock and Launchpad entries, is key.
- **YARA rules:** Not provided in the context.
## Mitigation Strategies
- Always inspect and verify any Xcode projects downloaded or cloned from external repositories before use.
- Only install applications from trusted sources, such as the software platform's official app store.
- Maintain updated systems to patch known vulnerabilities (like the historical exploitation of TCC bypasses).
## Related Tools/Techniques
- Previous iterations of XCSSET.
- Malware utilizing TCC bypasses on macOS.
- Other macOS malware targeting Xcode projects.