[BreachExchange] Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software

Fri Jul 23 11:57:15 EDT 2021

https://thehackernews.com/2021/07/nasty-macos-malware-xcsset-now-targets.html

A malware known for targeting macOS operating system has been updated once
again to add more features to its toolset that allows it to amass and
exfiltrate sensitive data stored in a variety of apps, including apps such
as Google Chrome and Telegram, as part of further "refinements in its
tactics."

XCSSET was uncovered in August 2020, when it was found targeting Mac
developers using an unusual means of distribution that involved injecting a
malicious payload into Xcode IDE projects that's executed at the time of
building project files in Xcode.

The malware comes with numerous capabilities, such as reading and dumping
Safari cookies, injecting malicious JavaScript code into various websites,
stealing information from applications, such as Notes, WeChat, Skype,
Telegram, and encrypting user files.

Earlier this April, XCSSET received an upgrade that enabled the malware
authors to target macOS 11 Big Sur as well as Macs running on M1 chipset by
circumventing new security policies instituted by Apple in the latest
operating system.

"The malware downloads its own open tool from its C2 server that comes
pre-signed with an ad-hoc signature, whereas if it were on macOS versions
10.15 and lower, it would still use the system's built-in open command to
run the apps," Trend Micro researchers previously noted.

Now according to a new write-up published the cybersecurity firm on
Thursday, it has been discovered that XCSSET runs a malicious AppleScript
file to compress the folder containing Telegram data ("~/Library/Group
Containers/6N38VWS5BX.ru.keepcoder.Telegram") into a ZIP archive file,
before uploading it to a remote server under their control, thus enabling
the threat actor to log in using the victim accounts.

With Google Chrome, the malware attempts to steal passwords stored in the
web browser — which are in turn encrypted using a master password called
"safe storage key" — by tricking the user into granting root privileges via
a fraudulent dialog box, abusing the elevated permissions to run an
unauthorized shell command to retrieve the master key from the iCloud
Keychain, following which the contents are decrypted and transmitted to the
server.

Aside from Chrome and Telegram, XCSSET also has the capacity to plunder
valuable information from a variety of apps like Evernote, Opera, Skype,
WeChat, and Apple's own Contacts and Notes apps by retrieving said data
from their respective sandbox directories.

"The discovery of how it can steal information from various apps highlights
the degree to which the malware aggressively attempts to steal various
kinds of information from affected systems," the researchers said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210723/78fa2305/attachment.html>