The now infamous macOS malware XCSSET has evolved further to steal account logins from different apps. These include Telegram, Chrome, and more as the attackers aim to take over accounts.
macOS Malware Steals Account Logins
Researchers from TrendMicro have recently shared insights about the advanced XCSSET strain in their post.
Specifically, the researchers noticed the macOS malware steals account logins from Telegram and other apps in the latest campaign.
In brief, the new malware variant scans the infected devices for specific folders that may contain sensitive information like passwords.
For instance, it looks for the “~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram” folder to aim at Telegram. It attempts to copy this folder as an archive (.zip) file to its C&C server, for which it bears the malicious AppleScript file “telegram.applescript”. This enables the attackers to steal login details of the target user’s Telegram.
Likewise, the malware also aims to steal passwords stored in the Chrome browser. For this, the malware requires administrator access, for which it bluffs users to grant permissions via a fake dialog box. Then, leveraging
security find- generic-password -wa ‘Chrome’ command, it accesses the Chrome
safe_storage_key to transmit the data to its C&C server.
Other apps vulnerable to malware include Evernote, Notes, Contacts, Opera, WeChat, and Skype.
To execute the attack, the malware has used numerous domains – all of them redirecting to a previously used XCSSET IP.
However, according to the researchers, after back-and-forth appearance and disappearance, the recently spotted XCSSET servers have gone offline.
Stay Wary Of XCSSET Malware
To avoid infection via this and other malware, TrendMicro advises downloading apps from official app stores only. Also, they recommend using “multilayered security solutions”, such as robust antimalware that offers cross-platform support.
XCSSET has been in the news lately owing to its recurrent activities against Apple devices. In May 2021, Apple fixed zero-days in macOS, including a TCC bypass bug under attack by XCSSET.