Limited attacks with a novel stealthier variant of the XCSSET macOS malware aimed at compromising cryptocurrency wallets and Notes app data have been underway nearly three years after the modular backdoor was last improved, reports BleepingComputer.
Aside from adopting enhanced base64- and hexdump-based obfuscation techniques, the updated XCSSET malware has been modified to support the zshrc and dock persistence mechanisms, according to the Microsoft Threat Intelligence team. While zshrc allows file deployment upon the beginning of a new shell session, the dock method enables downloading of a signed dockutil tool for dock item management and XCSSET's eventual creation of a malicious Launchpad app with the legitimate app path, facilitating the execution of both the real app and the malware. Operators of XCSSET have also integrated the new TARGET, RULE, or FORCED_STRATEGY methods to compromise Apple's Xcode developer toolset, said Microsoft Threat Intelligence researchers in a post on X, formerly Twitter. Organizations have been urged to examine and verify Xcode projects and codebases for potentially concealed backdoors.
