Security researchers have revealed new research regarding XCSSET that now targets Apple’s macOS 11 and M1-based Macs. XCSSET had historically targeted Xcode projects to deliver malicious payloads.
According to Trend Micro researchers, XCSSET has evolved to work on both ARM64 and x86_x64 Macs and also used to download other payloads.
Just last month, Kaspersky discovered newly discovered samples of XCSSET malware can run on Macs with the ARM-based M1 processors. Trend Micro then recently analyzed samples from a command-and-control (C2) server and found XCSSET not only adapted support for M1 chips, but also added “big changes” for macOS 11 Big Sur.
Moreover, the XCSSET leverages a safari_remote.applescript to download packages such as “Safari 14” and malicious AppleScript files, as well as icons used to disguise the malware as legitimate apps.
Trend Micro also clarified that although the newer macOS 11 does have a new security feature to prevent code modifications, it “doesn’t apply to translated x86 binaries that run under Rosetta 2, nor a macOS 11 that runs on an Intel-based platform.”
Finally, XCSSET’s fake apps and files are code signed using the codesign –force –deep -s – command to cleverly bypass macOS 11 security policies.
Readers can check out the full Trend Micro report for more details on the latest XCSSET malware samples and findings.