XCSSET, a MacOS malware, Targets Google Chrome and Telegram Software

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

As part of further “refinements in its tactics,” a malware notorious for targeting the macOS operating system has been updated to add more elements to its toolset that allow it to accumulate and exfiltrate sensitive data saved in a range of programmes, including apps like Google Chrome and Telegram. This macOS malware can collect login credentials from a variety of apps, allowing its operators to steal accounts. 

XCSSET was discovered in August 2020, when it was found to be targeting Mac developers using an unusual method of propagation that entailed injecting a malicious payload into Xcode IDE projects, which is executed when the project files are built in Xcode. XCSSET collects files containing sensitive information from infected computers and delivers them to the command and control (C2) server. 

Telegram, an instant messaging service, is one of the apps that has been attacked. The virus produces the “telegram.applescript” archive in the Group Containers directory for the “keepcoder.Telegram” folder. By obtaining the Telegram folder, the hackers are able to log into the messaging app as the account’s legal owner. The attackers gain access to the victim’s account by moving the stolen folder to another machine with Telegram installed, according to Trend Micro researchers. Normal users have read and write permissions to the Application sandbox directory, XCSSET can steal sensitive data this way.