![[Update: Fix] Chromecast (2nd gen) and Audio can’t Cast in ‘Untrusted’ outage](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2019/08/chromecast_audio_1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
The infostealer has been upgraded after three years.
- Microsoft warns of new version of the XCSSET infostealer
- It comes with new obfuscation, infection, and persistence techniques
- It was seen in "limited" attacks in the wild
A new variant of a known macOS malware is making rounds on the internet, targeting users through infected Xcode projects.
Researchers from the Microsoft Threat Intelligence team said that the modular malware is seen in “limited attacks” at this time, but suggested that people should still keep their guard up.
According to the researchers, this is the first upgrade to XCSSET in three years. It now has enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.
Scrutinize Xcode projects
“These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files,” Microsoft said.
Microsoft first reported of this new XCSSET strain in mid-February this year, and has now come forward with an in-depth analysis.
Xcode is Apple's official integrated development environment (IDE) for creating apps on macOS, iOS, iPadOS, watchOS, and tvOS. It includes a code editor, debugger, Interface Builder, and tools for testing and deploying apps.
In essence, XCSSET is an infostealer. It is capable of pulling system information and files, stealing digital wallet data, and grabbing information from the official Notes app.
For obfuscation, XCSSET now uses a “significantly more randomized approach” for generating payloads to infect Xcode projects. When it comes to updated persistence mechanisms, the new variant uses two techniques: “zshrc”, and “dock”. Finally, for infection, there are now new methods for where the payload is placed in a target Xcode project.
“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects,” the company concluded. “They should also only install apps from trusted sources, such as a software platform’s official app store.”
The in-depth analysis of the malware and its modus operandi can be found on here.
You might also like
- Microsoft spies a new and worrying macOS malware strain
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
