An updated variant of the sophisticated XCSSET macOS malware is monitoring the system clipboard to hijack cryptocurrency transactions, Microsoft warns.
First observed in the wild half a decade ago, XCSSET spreads via malicious Xcode projects, abusing Apple’s integrated development environment for macOS.
The malware was designed to steal information from various chat applications, steal files, inject code in websites, and drop ransom notes, and has received several updates over time.
The most recent variant, Microsoft says, includes an additional persistence mechanism and brings changes to browser targeting and clipboard hijacking.
The threat employs a four-stage infection chain, with changes to its boot function, which now includes additional checks for Firefox and a modified check for Telegram.
At the fourth stage of the chain, the malware fetches a run-only compiled AppleScript that defines functions related to data validation, encryption, decryption, and for obtaining additional data from the command-and-control (C&C) server.
The script also contains functions associated with clipboard monitoring, which allows it to identify cryptocurrency addresses and replace them with content defined in a list of attacker-controlled addresses.
The malware was also seen fetching from the C&C another script with file exfiltration capabilities, and setting up LaunchDaemon persistence by creating a file containing the payload in the user’s home directory.
It was also seen modifying system configurations to execute commands that disabled the macOS security configuration updates and Rapid Security Response mechanism.
XCSSET also creates a fake system settings application and then calls a function that waits for the legitimate System Settings application to be launched before executing the fake app, to pose as legitimate.
The new malware variant also includes an info-stealer module targeting the Firefox browser. A modified version of the HackBrowserData open source project, the module steals browser history, cookies, and stored passwords and credit card information.
Microsoft reported its findings to Apple and worked with GitHub to remove the malicious repositories distributing the malware.
“While we’re only seeing this new XCSSET variant in limited attacks as of this writing, we’re publishing our comprehensive analysis to increase awareness of this evolving threat,” the company notes.
Related: PyPI Warns Users of Fresh Phishing Campaign
Related: Widespread Infostealer Campaign Targeting macOS Users
