This modular backdoor, first documented in 2020, now employs advanced obfuscation techniques, refined persistence mechanisms, and novel infection vectors to subvert Apple’s security frameworks and compromise software supply chains.
The 2024 variant introduces multi-layered encoding strategies to evade static analysis. While earlier versions relied on SHC-compiled shell scripts and run-only AppleScripts to obscure malicious logic, the updated strain randomizes encoding algorithms between Base64 and xxd hexdump operations.
This variability disrupts signature-based detection, as each payload iteration generates distinct cryptographic fingerprints.
Crucially, the malware dynamically selects encoding iterations (between 5–9 cycles) during runtime, further complicating reverse-engineering efforts.
At the filesystem level, XCSSET now deploys modular components within falsified application bundles.
Recent campaigns disguise the primary executable (a.scpt) inside a counterfeit Notes.app, strategically placed in non-standard Library subdirectories like ~/Library/Application Scripts/com.apple.CalendarAgent.
This masquerading technique exploits macOS’s trust in system-adjacent directories, bypassing Gatekeeper checks.
The malware establishes persistence through two parallel methodologies:
Zshrc Injection: By appending malicious shell commands to ~/.zshrc, XCSSET ensures payload reactivation upon every terminal session initiation. This leverages macOS’s default Zsh environment to execute a hidden script (~/.zshrc_aliases) containing the encoded backdoor.
Dock API Manipulation: Utilizing a signed dockutil binary fetched from command-and-control (C2) servers, the malware replaces the legitimate Launchpad entry with a malicious counterpart.
This ensures execution whenever users interact with the Dock, while maintaining the appearance of normal system behavior.
XCSSET’s updated replicator.applescript module employs three primary strategies to infiltrate Xcode workspaces:
TARGET Injection: Modifies the TARGET_DEVICE_FAMILY build setting to execute malicious scripts during compilation phases like “Copy Bundle Frameworks” or “Compile Swift Frameworks”.
RULE Exploitation: Injects build rules that trigger payload deployment before linking binaries, often disguised as legitimate code-signing operations.
FORCED_STRATEGY Payloads: Directly overwrites .pbxproj files to reference hidden assets containing Mach-O malware and bootstrap scripts.
These techniques enable supply chain attacks when developers share infected projects via GitHub or CocoaPods repositories, potentially compromising downstream applications.
Microsoft Defender for Endpoint now recognizes behavioral patterns associated with XCSSET’s updated modules, including:
Organizations should enforce code-signing verification for all Xcode dependencies and monitor for unauthorized SSH key generation in ~/.ssh/authorized_keys.
Developers must audit project files for unfamiliar build phase references or hidden xcassets directories containing executable payloads.
As XCSSET continues to exploit macOS’s scripting ecosystems, the incident underscores the critical need for runtime protection mechanisms alongside static analysis.
Microsoft recommends enabling tamper protection in Defender for Endpoint to block unauthorized process injection attempts targeting Xcode or Safari instances.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
The post New XCSSET Malware Attacking macOS Users by Infecting Xcode Projects appeared first on Cyber Security News.
The animated short above, The Dot and the Line, directed by the great Chuck Jones…
"Hello there!" - Star Wars games are on sale as part of May the 4th…
The way cyberattacks are launched has fundamentally changed. Threat actors are no longer spending months…
The FreeBSD Project has released a critical security advisory addressing a severe flaw in its…
A new wave of cyberattacks is targeting employees through a combination of inbox flooding and…
ELKHART COUNTY, IND. (WOWO) — A 42-year-old man is facing multiple serious felony charges in…
This website uses cookies.