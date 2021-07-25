



XCSSET macOS malware is evolving and can now steal login information from multiple apps such as Telegram and Google Chrome.

Trend Micro security researchers continue to monitor the evolution of the XCSSET macOS malware, and new variants can steal login information from multiple apps such as Telegram and Google Chrome and send it to C2.

To target Telegram, the malware creates an archive telegram.applescript in the keepcoder.Telegram folder located in the Group Containers folder (~ / Library / Group Containers / 6N38VWS5BX.ru.keepcoder.Telegram).

The attacker could then copy the stolen folder to another machine where Telegram is installed and act on behalf of the legitimate owner of the account.

Experts have pointed out that XCSSET malware can use this technique to steal sensitive data because normal users can access the application sandbox directory with read / write permissions.

“On macOS, the application sandbox directory ~ / Library / Containers / com.xxx.xxxand ~ / Library / GroupContainers / com.xxx.xxx can be accessed by general users (with READ / WRITE permission). This is on iOS. It’s not the convention. Not all executables are sandboxed on macOS, which means that a simple script can steal all the data stored in the sandbox directory. ”Trend Micro Read the published analysis. “Application developers are advised not to store sensitive data, especially data related to login information, in the sandbox directory.”

Trend Micro also provides details on the techniques used by XCSSET malware to steal passwords from Google Chrome using safe storage keys stored in Chrome safe storage.

XCSSET uses commandsecurity find-generic-password -waChrome, which requires root privileges, to get the safe_storage_key. The malware then combines all operations that require root privileges into a single function.

“Users are prompted to grant these privileges through a fake dialog box. Once they get the Chrome safe_storage_key, they decrypt all sensitive data and upload it to the C & C server.” ..

Once the safe storage key is obtained, the malware can decrypt the data and send it to the C2 server. Malicious code can use similar scripts to target the following applications:

Contact EvernoteNotesOperaSkypeWeChat

Trend Micro has observed some new domain names used in the attack. The malware also uses a new module, canary, which performs XSS injection in Google’s Chrome Canary browser, which is an version of the Chrome browser.

“The changes that occur in XCSSET do not reflect the fundamental changes in its behavior, but they do constitute a tactical improvement. The discovery of ways to steal information from various apps is a system that is affected by malware. It highlights the degree to which various types of information are actively stolen. ”Concludes the report.

Pierluigi Paganini

(SecurityAffairs hack, XCSSET malware)

