New Variant of XCSSET macOS Malware Targets Cryptocurrency Transactions and Firefox Users

An advanced variant of the XCSSET macOS malware has resurfaced, introducing new capabilities to hijack cryptocurrency transactions and expand its data theft to Firefox browser users, Microsoft cybersecurity researchers have revealed.

Originally discovered about five years ago, the XCSSET malware targets macOS systems primarily through infected Xcode projects — Apple’s integrated development environment used for building macOS and iOS applications. The malware stealthily embeds itself in these projects, activating its malicious behavior when developers build the infected applications.

The latest iteration of XCSSET boasts significant upgrades in persistence, stealth, and data exfiltration techniques. Notably, it now monitors the system clipboard to detect cryptocurrency wallet addresses and replace them with attacker-controlled addresses. This clipboard hijacking tactic is designed to silently reroute cryptocurrency payments to hackers without the victim’s knowledge.

Sophisticated Infection and Persistence Techniques

The malware employs a multi-stage infection chain, culminating in the execution of run-only compiled AppleScripts that provide encryption, data validation, and communication with the attackers’ command-and-control servers. Among the expanded capabilities are:

• Targeting of Firefox browser data including passwords, cookies, browsing history, and saved credit card information, extending beyond the previously targeted Chrome browser.
• Enhanced persistence by creating LaunchDaemon entries and placing payload files covertly in user directories, disguised as legitimate system applications like “System Settings.” This approach also disables macOS software updates and Rapid Security Response patches, prolonging system compromise.
• Use of advanced obfuscation methods like base64 and hexdump encoding to evade detection and hinder analysis.
• New persistence mechanisms operating through shell configuration files (zshrc) and manipulation of Dock items via signed tools, facilitating malware execution upon shell startup and interaction with the Dock.

Implications for Developers and Cryptocurrency Users

By infecting Xcode projects, attackers can inadvertently distribute the malware to a broader audience of developers and end-users who build or download compromised applications. This vector is particularly insidious because compromised development tools can create backdoors that later stages of the malware exploit for data theft.

Cryptocurrency holders face heightened risks from clipboard hijacking, a tactic that intercepts wallet addresses copied to the clipboard and substitutes fraudulent ones — redirecting funds to attackers. Given the stealthy nature of this replacement, victims may remain unaware until funds are irreversibly lost.

Recommendations and Mitigation

Experts advise macOS users, especially developers, to carefully inspect Xcode projects and development environments for suspicious code or unexpected payloads. Avoid downloading or sharing Xcode projects from untrusted sources.

Users engaged in cryptocurrency transactions are recommended to verify wallet addresses manually after pasting, use hardware wallets or trusted apps, and consider clipboard monitoring protection tools where available.

Finally, keeping macOS systems updated and vigilant against unauthorized LaunchDaemon entries or system modifications can help limit the malware’s persistence and damage.

Microsoft’s ongoing analysis underscores the adaptive evolution of XCSSET, illustrating the persistent threat that sophisticated macOS malware poses to developers and crypto users alike.