Cybercrime , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

XCSSET Malware Can Adapt to Target More Macs

Trend Micro Describes the Evolving Threat
XCSSET Malware Can Adapt to Target More Macs

The XCSSET malware campaign can now adapt to target a wider variety of Macs, including those with the M1 chip, according to Trend Micro researchers.

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

XCSSET was uncovered in August 2020, when it was exploiting two zero-day vulnerabilities and injecting malicious code into Xcode projects built on users’ devices, Trend Micro reports. Xcode is Apple's integrated development environment for macOS.

Now, XCSSET adapts itself to work on both ARM64 and x86_x64 Macs and can steal information from the user’s Evernote, Notes, Skype, Telegram and WeChat apps, the security firm reports. The malware enables attackers to take screenshots, upload files from the affected devices, encrypt files and display a ransom note if commanded by the server. It can inject malicious JavaScript, and it uses Safari and other installed browsers to steal user data.

In March, researchers at Kaspersky found that XCSSET could run on Macs with the new M1 chip. Further analysis by Trend Micro on the binary files downloaded from the command-and-control server found that nearly all of them contained both x86_x64 and ARM64 architectures.

"Besides adding support for the M1 chip, XCSSET malware has taken other actions to fit macOS 11 Big Sur as well," Trend Micro researchers note. "The malware's latest modules, such as the new icons.php module, introduces changes to the icons to fit their victim's OS."

Imitation apps for Big Sur are also created from malicious AppleScript files, researchers found. The icon files are downloaded from a command-and-control server, and then their info.plist files are modified so that the fake app's icon is disguised to appear like that of the legitimate app. Unsuspecting users download the malicious malware file that appears to be the legitimate app.

Circumventing Security Policies

Trend Micro researchers who analyzed the source code for the updated XCSSET malware found it can circumvent macOS 11's new security policies.

"The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps," the researchers note.

Unlike the previous version of XCSSET, the latest version now tries to steal confidential data from sites such as, Huobi,,, Envato and, TrendMcro says.

For cryptocurrency trading platform Huobi, the malware not only steals account information but also is able to replace the address in a user’s cryptocurrency wallet, the researchers note.

Leveraging Safari

Trend Micro reported earlier that XCSSET malware leverages the development version of Safari to load malicious Safari frameworks and related JavaScript backdoors from its command-and-control server.

"It hosts Safari update packages in the C2 server, then downloads and installs packages for the user’s OS version. To adapt to the newly released Big Sur, new packages for Safari 14 were added. As we have observed in Safari remote.applescript, it downloads a corresponding Safari package according to the user’s current browser and OS versions," researchers note.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.