Microsoft has revealed the discovery of a new variant of the infamous XCSSET malware that targets macOS, one of the types that have been detected in a few active attacks.
It is referred to as the largest evolution since 2022, and as highlighted in a post on X by the Microsoft Threat Intelligence team, this new version of the XCSSET malware includes more advanced obfuscation. It also has more refined persistence and infection methods.
Most of the previous features of this malware now have new enhancements, such as targeting digital wallets, capturing Notes app data, and extracting information and files around system data.
XCSSET is a very advanced modular malware specifically designed for macOS. It is also famous for intruding into Apple Xcode projects. Trend Micro first reported it in August 2020.
More recent varieties of flexible malware have drawn an adaptation from new macOS releases as well as Apple’s M1 chipsets. Cybersecurity experts observed that mid-last year, XCSSET had progressed in such a way that it could gather data ranging from several applications.
These applications include Google Chrome, Telegram, Evernote, Opera, Skype, WeChat, and even Apple’s namesake apps as Contacts and Notes.
The same report from Jamf during the same period revealed that the said malware could use a zero-day vulnerability, CVE-2021-30713 to evade the TCC (Transparency, Consent, and Control)Framework. It could take screenshots from the victim’s desktop without the need for other authorizations.
This is Microsoft’s latest discovery, which is the first since 2022 major update on obfuscation and persistence techniques meant to befog analysis. It ensures that the malware activates with every new shell session.
Microsoft has issued an explanation, saying, “Malware creates a mock Launchpad application that supplements the path to the authentic Launchpad in the dock with this counterfeit version. Thus, whenever the Launchpad is activated from the dock, both the real Launchpad and the illicit payload will be launched.”
Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment Policy.