Security researchers have released details about the method used by a variety of macOS malware to steal login information from multiple applications, allowing their operators to steal accounts.
Dubbed XCSSET, the malware continues to evolve and has targeted macOS developers for over a year by infecting local Xcode projects.
Steal Telegram accounts, Chrome passwords
XCSSET collects files with confidential information belonging to certain applications from infected computers and sends them to the command and control server (C2).
One of the specific applications is the Telegram instant messaging software. The malware creates the “telegram.applescript” file for the “keepcoder.Telegram” folder in the Group Containers directory.
The collection of the Telegram folder allows hackers to log into the messaging app as the rightful owner of the account.
Researchers in Trend Micro explains that copying the stolen folder to another machine with Telegram installed gives the attackers access to the victim’s account.
XCSSET can steal confidential data in this way because normal users can access the application sandbox directory with read and write permissions.
The researchers also looked at the method used to steal passwords saved in Google Chrome, a technique that requires user interaction and has been described since at least 2016.
The threat actor must obtain the secure storage key, which is stored on the user’s keychain as “Chrome Secure Storage”.
However, they use a fake dialog to trick the user into granting admin privileges to all the operations of the attacker necessary to obtain the secure storage key that can crack the passwords stored in Chrome.
Once decrypted, all data is sent to the attacker’s command and control server. There are similar scripts in XCSSET to steal confidential data from other applications: Contacts, Evernote, Notes, Opera, Skype, WeChat.
Trend Micro researchers say that the latest version of XCSSET they analyzed also has an updated list of C2 servers and a new “canary” module for cross-site scripting (XSS) injections in the experimental Chrome Canary web browser.
While recent malware updates are far from adding significant features, they show that XCSSET is continually evolving and adapting.
XCSSET targets the latest version of macOS (currently Big Sur) and has been seen in the past to exploit a zero-day vulnerability to bypass protections for full disk access and avoid explicit user content.