Microsoft Threat Intelligence reports that a new variant of the XCSSET macOS malware has been detected in limited attacks, incorporating several new features, including enhanced browser targeting, clipboard hijacking, and improved persistence mechanisms.

XCSSET is a modular macOS malware that acts as an infostealer and cryptocurrency stealer, stealing Notes, cryptocurrency wallets, and browser data from infected devices. The malware spreads by searching for and infecting other Xcode projects found on the device, so that the malware is executed when the project is built.

“The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built,” explains Microsoft.

“We assess that this mode of infection and propagation banks on project files being shared among developers building Apple or macOS-related applications.”

In a new variant observed by Microsoft, researchers have noted several changes.

It now attempts to steal Firefox browser data by installing a modified build of the open-source HackBrowserData tool, which is used to decrypt and export browser data from browser data stores.

The new variant also includes a clipboard-hijacking component update that monitors the macOS clipboard for regular expression patterns associated with cryptocurrency addresses.

When a crypto address is detected, it will replace the address with one belonging to the attacker. This causes any cryptocurrency sent by the user on an infected device to be sent to the attackers instead.

The malware also includes new persistence methods, such as creating LaunchDaemon entries that execute a ~/.root payload and create a fake System Settings.app in /tmp to masquerade its activity.

The new variant is not yet widespread, and Microsoft reports that it has only observed it in limited attacks. The researchers have also shared their findings with Apple and are working with GitHub to remove associated repositories.

To protect against this type of malware, it is recommended to keep macOS and apps up to date, especially considering XCSSET has previously exploited vulnerabilities, including zero-days.

Microsoft also recommends that developers always inspect Xcode projects before building them, especially when they have been shared with you by others.