An updated variant of the sophisticated XCSSET malware targeting macOS is raising alarms after Microsoft issued a warning regarding its clipboard monitoring capabilities, specifically aimed at hijacking cryptocurrency transactions.
XCSSET was first identified in the wild about five years ago and primarily spreads through malicious Xcode projects, exploiting Apple’s integrated development environment designed for macOS development. Initially crafted to steal sensitive information from chat applications and files, inject malicious code into websites, and deliver ransom notes, the malware has undergone numerous updates to enhance its functionality.
The latest iteration introduces an additional persistence mechanism, modifies its browser targeting strategies, and augments its clipboard hijacking features. This latest version operates through a complex four-stage infection chain. Notably, modifications to its boot function now include supplementary checks specifically targeting the Firefox browser and a refined verification process for the Telegram app.
During the final stage of its infection process, the malware retrieves a compiled AppleScript designed to handle functions related to data validation, encryption, and decryption. Furthermore, it gathers additional data from its command-and-control (C&C) server. A key feature of this script is its clipboard monitoring capability, which enables the malware to identify cryptocurrency wallet addresses and substitute them with those controlled by the attackers.
In addition to these capabilities, XCSSET has been observed downloading a secondary script from the C&C server that possesses file exfiltration functionalities. The malware establishes persistence by creating a file within the user’s home directory to store the payload, along with modifying system settings to disable important macOS security updates and the Rapid Security Response mechanism.
Moreover, the new variant creates a counterfeit system settings application, which executes functions that wait for users to launch the legitimate System Settings app before activating the impostor, thereby masquerading as a trustworthy application.
Notably, this version of XCSSET includes an information-stealing module targeting the Firefox browser. This module, adapted from the open-source HackBrowserData project, aims to pilfer browser history, cookies, and saved passwords, including credit card information.
Microsoft has reported its findings to Apple and collaborated with GitHub to eliminate malicious repositories linked to the malware. Although this variant of XCSSET is currently observed in limited attacks, Microsoft emphasizes the importance of heightening awareness regarding this evolving threat to ensure user safety.
