29th July 2021, Kathmandu
A malware kenned for targeting macOS OS has been updated once more to integrate more features to its toolset that sanctions it to amass and exfiltrate sensitive data stored during a sort of apps, including apps like Google Chrome and Telegram, as a component of further “refinements in its tactics.”
XCSSET was unearthed in August 2020, when it had been found targeting Mac developers utilizing an unwonted denotes of distribution that involved injecting a maleficent payload into Xcode IDE projects that’s executed at the time of building project files in Xcode.
The malware comes with numerous capabilities, like reading and dumping Safari cookies, injecting maleficent JavaScript code into sundry websites, purloining information from applications, like Notes, WeChat, Skype, Telegram, and encrypting utilizer files.
Earlier this April, XCSSET received an upgrade that enabled the malware authors to focus on macOS 11 immensely colossal Sur also as Macs running on M1 chipsets by circumventing incipient security policies instituted by Apple within the latest OS.
“The malware downloads its own open implement from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it might still utilize the system’s built-in open command to run the apps,” Trend Micro researchers antecedently noted.
Now consistent with an incipient indite-up published by the cybersecurity firm on Thursday, it’s been discovered that XCSSET runs a maleficent AppleScript file to compress the folder containing Telegram data (“~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram”) into a zipped archive file, afore uploading it to a foreign server under their control, thus enabling the threat actor to authenticate utilizing the victim accounts.
With Google Chrome, the malware endeavors to purloin passwords stored within the browser — which are successively encrypted utilizing a master password called “safe storage key” — by chicaning the utilizer into granting root privileges via a fraudulent panel, abusing the ascended sanctions to run an unauthorized shell command to retrieve the passkey from the iCloud Keychain, following which the contents are decrypted and transmitted to the server.
Aside from Chrome and Telegram, XCSSET withal has the capacity to plunder valuable information from a spread of apps like Evernote, Opera, Skype, WeChat, and Apple’s own Contacts and Notes apps by retrieving verbally expressed data from their respective sandbox directories.
“The revelation of how it can glom information from sundry apps highlights the degree to which the malware aggressively endeavors to glom sundry sorts of information from affected systems,” the researchers verbalized.
