- Microsoft warns about the new version of the XCSset Infostealer
- Comes with new techniques for obfuscation, infection and persistence
- Experts warn all users who are careful
Microsoft says that it has seen a new strain of an old variant of Malware from Macos, one that comes with better obfuscation techniques, more persistence and new infection mechanisms.
In a brief publication X, Microsoft detailed the discovery of a new version of XCSset, which describes as a “sophisticated modular macos malware” that is addressed to users through infected XCODE projects.
Xcode is the official Integrated Development Environment (IDE) to create applications in macOS, iOS, Ipados, Watchos and TVOS. Includes a code editor, treatment plant, interface creator and tools to test and implement applications.
Limited attacks
In essence, Xcsset is an infoptealer. It is able to extract information and system files, steal digital wallet data and obtain information from the official notes application. Its last iteration occurs after more than two years of being inactive, and seems to come with significant improvements.
To hide better, XCSset now uses a “significantly further” approach to generate useful loads to infect Xcode projects, Microsoft explained. For persistence, XCSset now uses two techniques, called “ZSHRC” and “Dock”. In the first, the malware creates a file called ~/.zshrc_aliases, which contains the payload. Then add a command in the ~/.SHRC file to make sure the created file starts every time a new Shell session starts.
In the second, the malware discharges a dockutil tool signed from a command and control server to manage the elements of Dock. Then create a fake launchpad application and replace the legitimate entry into the document. In that way, when the victim executes the launchpad from the dock, both legitimate application and malware are executed.
As for the infection, XCSset now comes with new methods to where the payload is placed in the XCODE project.
Microsoft said that at this time it is only seeing the new variant in “limited attacks”, but wanted to sound the alarm on time, so that users and organizations can protect themselves.
“Users must always inspect and verify any unloaded or cloned XCODE project, since malware usually extends through infected projects,” the company concluded. “They must also install applications from reliable sources, such as the official application store of a software platform.”
