- Microsoft warns against the new version of the Infosteller Xcset
- It is delivered with new techniques of obscure, infection and persistence
- Experts warn all users to be careful
Microsoft says that he has spotted a new strain of an old variant of macos malware, which comes with better obscure techniques, more persistence and new infection mechanisms.
In a short post X, Microsoft detailed by discovering a new version of XCSSET, which he describes as a “sophisticated modular module malware” which targets users via infected Xcode projects.
XCODE is the Official Integrated Development Environment (IDE) of Apple for the creation of applications on macOS, iOS, iPados, Watchos and TVOS. It includes a code editor, a debugger, an interface manufacturer and tools to test and deploy applications.
Limited attacks
Essentially, XCSSET is an infosteller. He is able to extract system information and files, steal digital portfolio data and enter the official application application information. Its last iteration comes after more than two years of sleep and seems to have significant improvements.
To better hide, XCSSET now uses a “much more randomized” approach to generate useful loads to infect XCODE projects, said Microsoft. For persistence, XCSSET now uses two techniques, called “ZSHRC” and “Dock”. In the first, malware creates a file named ~ / .zshrc_aliases, which contains the payload. He then adds a command to the ~ / .zshrc file to ensure that the file created is launched each time a new Shell session is initiated.
In the second, the malware downloads a Dockutil tool signed from a control and control server to manage the elements of the quay. He then creates a false Launchpad application and replaces the legitimate entry into the doc. In this way, when the victim executes the Launchpad from the quay, the legitimate application and malware is executed.
As for the infection, XCSSET is now delivered with new methods to know where the payload is placed in the XCODE project.
Microsoft said at that time, he only saw the new variant in “limited attacks”, but wanted to ring the alarm in time, so that users and organizations can protect themselves.
“Users must always inspect and verify all XCODE projects downloaded or cloned from standards, because malicious software is generally spread through infected projects,” concluded the company. “They should also install only applications from trust, such as the official app store of a software platform.”
