Microsoft said that it has discovered a new version of a known Apple Macos Malware Xcsset As part of limited attacks in the wild.
The Microsoft Threat Intelligence Team said in a post shared on X, “Its first known edition since 2022, this latest XCSSET malware includes increased obfuscation methods, updated perseverance mechanisms and new transition strategies.”
“These enhanced features combine the already known capabilities of this malware family, such as targeting digital wallets, collecting data from the notes app, and exfiltrating the system and exfIs to the system.”
XCSSET is a sophisticated modular Macos malware known to target users by infecting the Apple Xcode projects. It was first documented by Trend Micro in August 2020.
Subsequent recurrences of malware have been found to be adapted to compromise their M1 chipset of Apple along with new versions of Macos. In mid-2021, the Cyber Security Company stated that XCSSET was updated to exfluent data from various apps such as the contacts and notes such as the XCSSET that the XCSSET was updated from various apps such as Google Chrome, Telegram, Evervanote, Opera, Skype, WeChat, and Apple First-Party apps.
Another report of Jamf around the same time revealed the ability to exploit Malware’s CVE-2021-30713, a transparency, consent, and control (TCC) framework bug bug, which is the victim without the need for additional permission The desktop has zero-day to take screenshots. ,
Then, a year later, it was re -updated to add support to Mcos Montere. As a writing, the origin of malware is unknown.
The latest conclusions of Microsoft mark the first major amendment since 2022, using better obfuscation methods and firmness mechanisms that are aimed at challenging analysis efforts and ensure that a new shell session starts every time a new shell session starts Malware is launched when it is.
Another novel method sets XCSSET, the firmness helps download a signed dockil utility from a command-end-control server to manage the dock items.
“Malware then creates a fake launchpad application and replaces the path entry of the valid launchpad in the dock with this fake,” said Microsoft. “This ensures that each time the launchpad is initiated from the dock, both valid launchpads and malicious payloads are executed.”
