Microsoft said it has discovered a new variant of the known Apple MacOS malware called Xcsset as part of a limited attack in the wild.
“This latest XCSSet malware, the first known variant since 2022, features obfuscation methods, updated persistence mechanisms, and new infection strategies,” the Microsoft Threat Intelligence team said in a shared post for X. It is stated in.
“These enhanced features add to the previously known features of this malware family, including targeting digital wallets, collecting data from the Notes app, and removing system information and files.”
XCSSet is a sophisticated modular MACOS malware known to target users by infecting Apple Xcode projects. It was first recorded in August 2020 by Trend Micro.
Subsequent iterations of malware have been found to adapt to compromise on newer versions of MacOS, as well as Apple’s own M1 chipset. In mid-2021, cybersecurity companies noted that XCSSET was updated to remove data from various apps such as Google Chrome, Telegram, Evernote, Opera, Skype, WeChat and Apple’s first-party apps.
Another report from JAMF shows the ability, transparency, consent, and control (TCC) framework bypass bug to leverage CVE-2021-30713, and the victim’s desktop screen without the need for additional permission It has revealed that bypassing the bug as a zero day to take shots. .
Then, over a year later, it was updated again to add support for Macos Monterey. At the time of writing, the origin of the malware remains unknown.
The latest findings from Microsoft show the first major revision since 2022, and new shell sessions using improved obfuscation methods and persistence mechanisms aimed at challenging analytical efforts guarantees that malware will start every time it is started.
Another novel etiquette that XCSSET sets involves downloading a signed Dockutil utility from the command and control server to manage dock items.
“The malware then creates a fake LaunchPad application and replaces the legitimate LaunchPad path entry in the dock with this fake,” Microsoft said. “This ensures that each time Launchpad starts from the dock, both a legal Launchpad and a malicious payload will be performed.”
Source link
