A new version of the malware known as XCSSET has been detected by researchers, which added new features that allow it to secretly collect and exfiltrate sensitive data from various apps, among them Google Chrome and Telegram. In addition, Trend Micro researchers spotted further “refinements in its tactics.”
XCSSET first appeared in August 2020 when it targeted Mac developers by secretly injecting a malicious payload into their Xcode IDE projects.
In April, the malware authors of XCSSET upgraded their tool once more and exploited macOS 11, and targeted users with new M1 chips.
“The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system’s built-in open command to run the apps,” Trend Micro researchers noted at the time.
In a new analysis, researchers said they have discovered that XCSSET uses a malicious AppleScript file to compress the contents of a folder containing Telegram data and upload it to a remote server. This method allowed the threat actor to log in to the victim’s Telegram accounts.
When targeting Google Chrome, the malware tries to steal passwords stored in the browser. Then encrypts them with a master key from the iCloud Keychain after tricking the user into granting root permissions with a fraudulent dialog box. Passwords are then exfiltrated.
Besides Chrome and Telegram, XCSSET can also be used to steal information from other apps – Evernote, Opera, Skype, WeChat, and Apple’s Contacts and Notes – by extracting their sandbox directories.