XCSSET malware updates with Python 3 to target macOS Monterey users


Operators of the XCSSET macOS malware have raised the stakes by making iterative improvements that add support for macOS Monterey by upgrading its source code components to Python 3.

“Malware authors have gone from hiding the main executable in a fake Xcode.app in the initial releases in 2020 to a fake Mail.app in 2021 and now a fake Notes.app in 2022,” Phil said. Stokes and Dinesh Devadoss, SentinelOne researchers. said in a report.

XCSSET, first documented by Trend Micro in 2020, has many moving parts that allow it to harvest sensitive information from Apple Notes, WeChat, Skype, and Telegram; inject malicious JavaScript code into various websites; and clear cookies from the Safari web browser.

cyber security

The infection chains involve the use of a dropper to compromise users’ Xcode projects with the backdoor, with the backdoor also taking steps to evade detection by impersonating system software or the application of Google Chrome web browser.

The main executable is an AppleScript designed to retrieve second-stage AppleScript payloads from a network of remote servers that siphon data stored in web browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, and Yandex Browser as well as chat apps like Telegram and WeChat.

The threat author is also known to use a custom AppleScript (“listing.applescript”) to determine “how up-to-date the victim is with Apple’s XProtect and MRT Malware Removal Tool, likely to better target them with more efficient payloads,” the researchers said.

XCSSET Malware

One of the novel aspects of the attack is that deploying the malware to Xcode projects is considered a method of spreading through GitHub repositories to further extend its reach.

In addition to exploiting AppleScripts, the malware also leverages Python scripts to drop fake app icons on the macOS Dock and steal data from the pre-installed Notes app.

The latest version of XCSSET is also notable for incorporating changes to AppleScripts to accommodate Apple’s removal of Python 2.7 from macOS 12.3 released on March 14, 2022, indicating that the authors are continually updating the malware to increase their chances of hit.

cyber security

To that end, the adversary reportedly updated its “safari_remote.applescript” to eliminate Python 2 in favor of Python 3 for systems running macOS Monterey 12.3 and above.

Although they have been in the wild for two years, very little is known about the identity of the threat actors and their motives or exact targets. That said, XCSSET malware attacks have been reported in China as recently as May 2022, requiring victims to pay 200 USDT in exchange for unlocking stolen accounts.

“At this time, it is unclear whether these infected repositories are victims or plants of malicious actors hoping to infect unwary users,” the researchers noted. “It has been suggested that unsuspecting users could be directed to infected repositories via tutorials and screencasts for novice developers.”

Previous PA Equipment Market Returns to Stellar
Next A multidimensional approach to journalism safety