14 DAY TRIAL // As part of further tactic enhancements, a malware strain known to target macOS has been updated once again to include features that allow it to gather and exfiltrate sensitive information saved in different applications, including Telegram and Chrome, according to The Hacker News.
XCSSET was discovered in August 2020 when a malicious payload was being fed into Xcode IDE projects and executed at the same time as project files were being generated in Xcode. The payload targeted Mac developers who were using an odd distribution. What is known is that it performs a broad variety of activities, including reading and dumping Safari cookies, malicious JavaScript inserting code into other web pages, and stealing information from apps like Telegram, Skype, Notes, WeChat, and more.
Apple's XCSSET upgrade gave malware developers the opportunity to target macOS 11 Big Sur and Macs with M1 chipsets by bypassing the most recent operating system security protections. The malware has its own open tool pre-signed with an ad hoc signature from its C2 server, while on macOS versions 10.15 and below it would still use the built-in open app command.
XCSSET can gather information from popular apps such as Skype, WeChat, Evernote, and Opera
Using the updated functionality, XCSSET was found to execute a malicious AppleScript file to compress the Telegram data folder ("~/Liberary/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram") into a ZIP archive file before it's uploaded to a remote server that the threat actor can connect to and log in using the hacked account.
In Chrome, the malware attempts to steal passwords stored by the browser by exploiting an unauthorized shell to obtain the Secure Storage Key from the iCloud keychain. Yes, even the passwords that are encrypted with a master password. In addition to Chrome and Telegram, XCSSET's can also extract important information from a number of apps, including WeChat, Opera, Evernote, Skype, and the Notes and Contacts app from Apple's own sandboxed directory.