MacOS malware steals sensitive data from Google Chrome, Telegram and other apps

Mac Malware

A malware threat that attacks macOS computers has recently been modified and updated with new features that enable it to collect sensitive data from apps such as Telegram and Google Chrome.

The name of the malware in question is XCSSET, and it was first discovered back in August 2020. Its creators distribute it by injecting it into Xcode IDE projects – the hidden payload gets executed when project files are being built into Xcode.

This threat has a wide number of abilities, including the ability to read Safari cookies, insert malware JavaScript code into websites, steal data from different apps that are on the device (including Skype, WeChat, Notes, Telegram, etc.). The malware can even encrypt user files and thus keep them inaccessible (much like a file-encrypting Ransomware).

Earlier this year, in April, the XCSSET malware was updated, with new functions getting added to it. The update enabled the threat to now attack macOS 11 Big Sur Macs and Macs with M1 chips. The way the malware can do this is by bypassing the security policies of the latest operating system for Mac computers.

According to the researchers at Trend Micro, the threat automatically downloads a specially designed open tool from its servers and uses it to run apps, rather than using the built-in open command of macOS.

The researchers at Trend Micro also report in a write-up from Thursday that XCSSET uses a harmful AppleScript file that allows to compress the data contained in the Telegram folder into a ZIP file and the uploads that file to the hackers’ server. This allows the threat actors to gain access to the victims’ accounts.

As mentioned earlier, this threat can also target Google Chrome and exfiltrate sensitive data from it. In such cases, the malware tries to steal all user passwords that are stored in Chrome and that uses a master password to encrypt them. This is done by luring the user into providing the threat with root privileges. To achieve this, the hackers use a fake dialogue box that the user is tricked into interacting with, thus granting the malware root privileges.

Other apps that get targeted by XCSSET are the Opera browser, WeChat, Evernote, Skype, Apple’s Notes and Contacts apps, and more. The malware can exfiltrate sensitive data from those apps using similar tactics and thus grant its creators remote access to the victims’ profiles.

The researchers note that this malware is highly aggressive in its attempts to steal sensitive information, which is demonstrated by is highlighted by its tactics and attack mechanism.


About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment