As part of limited problems in the wild, Microsoft announced the discovery of a new version of a well-known Apple macOS malware called XCSSET.
This most recent XCSSET malware, which has been known for its first known variation since 2022, has improved subterfuge methods, updated resilience mechanisms, and new infection strategies, according to a post from the Microsoft Threat Intelligence team.
” These enhanced features add to this ransomware mother’s formerly known features, like targeting digital wallets, collecting data from the Notes software, and exfiltrating program information and files”.
A powerful modular macOS malware known to target customers by infecting Apple Xcode projects is known as XCSSET. Trend Micro second analyzed it in August 2020.
It has been discovered that the malware has evolved over time to bargain both Apple’s M1 chipsets and newer macOS versions. In mid-2021, the cybersecurity firm noted that XCSSET had been updated to exfiltrate data from various apps like Google Chrome, Telegram, Evernote, Opera, Skype, Twitter, and Apple first-party programs such as Contacts and Notes.
Another report from Jamf around the same time the malware’s ability to utilize CVE-2021-30713, a Transparency, Consent, and Control (TCC ) model pass bug, as a zero-day to take pictures of the victim’s desktop without requiring extra rights.
Then, over a year later, it was updated suddenly to increase support for mac Monterey. As of reading, the roots of the ransomware remain unknown.
The most recent findings from Microsoft, using enhanced misdirection techniques and resilience techniques, are intended to challenge analysis efforts and ensure that ransomware is launched every time a new barrel session is initiated. They also use improved obfuscation methods and persistence mechanisms.
Another fascinating way XCSSET sets up persistence is by enabling a written dockutil utility to handle the dock items from a command-and-control server.
The ransomware then creates a false Launchpad application and replaces the fake Launchpad’s dock’s path entry with this fake one, according to Microsoft. This makes sure that both the reasonable Launchpad and the malignant cargo are executed whenever the Launchpad is started from the dock.