XCSSET Malware Threatens macOS Developer Community
Threat Group: Unattributed
Threat Type: Malware, Supply Chain Attack
Exploited Vulnerabilities: Transparency Consent and Control (TCC) Zero-day Vulnerabilities
Malware Used: XCSSET
Threat Score: High (8.5/10) – Advanced obfuscation, persistent infection mechanisms, and supply-chain attack potential
Last Threat Observation: March 11, 2025 (Microsoft Security Blog)
Overview
XCSSET is a sophisticated, modular macOS malware first discovered in 2020, primarily known for infecting Xcode development projects. The latest variant detected exhibits advanced obfuscation, enhanced persistence strategies, and zero-day exploit capabilities, significantly increasing its threat potential. Recent campaigns have specifically targeted cryptocurrency and fintech industries, showcasing its evolving targeting strategies.
Key Details
- Delivery Method: Infected Xcode projects
- Targets: macOS developers, cryptocurrency, fintech sectors
- Functions:
- Cryptocurrency theft by manipulating wallet addresses
- Credential theft, including chat logs and browser-stored passwords
- System reconnaissance
- Malicious JavaScript injection (UXSS attacks)
- Data exfiltration from application sandbox directories
- Obfuscation: Advanced encrypted scripting and misleading module naming
Attack Vectors
XCSSET uniquely spreads through compromised Xcode project files rather than typical phishing or direct downloads. Developers unwittingly execute the malware upon building infected projects, facilitating unnoticed propagation within collaborative development environments and potentially triggering widespread supply-chain attacks.
A recent campaign in December 2024 demonstrated the malware's targeted capabilities, specifically focusing on cryptocurrency and fintech companies.
Malware Functionalities
| Functionality | Description |
|---|---|
| Data Exfiltration | Steals sensitive information from applications (e.g., Notes, Telegram, Chrome), specifically targeting digital wallets and credentials. |
| System Information Gathering | Collects extensive system details (macOS version, SIP status, CPU info) for victim profiling and tailored attacks. |
| Screenshot Capture | Captures screen content to obtain sensitive displayed information. |
| File Encryption & Ransomware | Encrypts user files, displaying ransom demands, suggesting ransomware capabilities. |
| JavaScript Injection (UXSS) | Injects malicious JavaScript to manipulate website content, intercept cryptocurrency transactions, and steal online credentials. |
Evasion and Persistence Techniques
XCSSET incorporates sophisticated evasion and persistence strategies:
- Obfuscation: Uses advanced encryption and randomized encoding (e.g., Base64, xxd).
- Zero-Day Exploits: Leverages zero-day vulnerabilities in Apple's TCC to gain unauthorized access to sensitive macOS functionalities (e.g., microphone, webcam, screenshots).
- Persistence Methods:
- zshrc Modification: Injects malicious code into
.zshrc_aliasesto execute upon each shell session initiation. - Dock Method: Uses a signed version of
dockutilto replace legitimate dock applications, embedding itself deeply in the system. - Git Integration: Ensures malware execution with each Git commit by embedding malicious scripts in repositories.
- zshrc Modification: Injects malicious code into
Indicators of Compromise (IoCs)
FileHash-SHA256
25d226d5cb0c74ed5b1b85f12d53a4c2de2147ff464b2a35db03987015b11e2456670f51f94080f1ae45f2a433767f210f290835bf582e1a2e1876f1028832de8cec3c106659709017bb253becf68296c7bf13e76fa92b4450c281003d225645c2a7970216576a6b8f74528ffcfa51aa2b72b7f3e4237d97715b1b5ba80b25cacc37a01d3351b3c166f04aec6f52849e909b0b9c8d55095d730c660691b1ba66d338dc9a75a14753f57399815b5d996a1c5e65aa4eb203222d8c85fb3d74b02fea90c72e67f1c9a9231732119576a7dcb29471f7da428866187d4326e78097f2f67e2a27f0d1a4667b065ab05f884ff881eb7627e9d458f97f2204647b339c6eff83f53a383ba3f1d6b002006adf16a7f0b3263185d56cb70104889874d67c5d
domain
bulknames[.]rucastlenet[.]ruchaoping[.]rudevapple[.]rufigmasol[.]rugigacells[.]rugizmodoc[.]ruitoyads[.]rurigglejoy[.]rurutornet[.]rusigmate[.]rutrixmate[.]ruvivatads[.]ruxccset[.]sdxccset[.]sexccset[.]sgxccset[.]sixccset[.]sjxccset[.]skxcsset[.]scxcsset[.]sexcsset[.]st
Mitigation and Prevention
Protective measures against XCSSET:
- Regular Software Updates: Promptly apply updates for macOS and development tools.
- Xcode Project Verification: Inspect projects from external sources for anomalies or suspicious scripts.
- Advanced Security Solutions: Employ endpoint protection with behavior analytics capabilities.
- Security Training: Educate developers about secure coding practices and third-party code risks.
- Multi-Factor Authentication (2FA): Mandate 2FA for repository and critical data access.
- Comprehensive Log Monitoring: Monitor and analyze logs for suspicious activities or unauthorized access attempts.
Risk Assessment
XCSSET's advanced infection mechanisms, exploitation of zero-day vulnerabilities, and adaptability to newer macOS environments (including Apple M1 chipsets) represent a substantial threat. Its unique targeting of collaborative software development environments increases the likelihood of extensive, undetected spread.
Conclusion
Organizations, particularly within software development and financial technology sectors, should prioritize comprehensive threat management strategies against XCSSET. Ongoing vigilance, secure coding practices, regular updates, and robust security protocols are essential for mitigating this evolving threat.
Sources:
- Microsoft Security Blog – New XCSSET Malware Adds New Obfuscation and Persistence Techniques
- Bleeping Computer – Microsoft Spots XCSSET macOS Malware Variant Used for Crypto Theft
- Dark Reading – Microsoft Warns of New Variant of macOS Threat XCSSET
- AlienVault - Indicators of Compromise.