Cybersecurity researchers have discovered an updated version of the known Apple MACOS malware called XCSSet, which was observed in limited attacks.
“This new variant of XCSSet brings important changes related to browser targeting, clipboard hijacking and persistence mechanisms,” the Microsoft Threat Intelligence team said in a report Thursday.
“It uses sophisticated encryption and obfuscation techniques, uses Run-only compiled Applescripts for stealth execution, and extends Data Exfiltration capabilities to include Firefox browser data.
XCSSET is a name assigned to sophisticated modular malware designed to infect Xcode projects used by software developers and unleash malicious features when built. It remains unclear exactly how the malware will be distributed, but it is suspected that propagation relies on Xcode project files shared among developers building apps on MacOS.
Earlier this March, Microsoft revealed some enhancements to the malware, highlighting its improved error handling and the use of three different persistence technologies to siphon susceptibility data from compromised hosts.
It has been found that the latest variants of XCSSet incorporate clipper submodules that monitor clipboard content for specific regular expressions (aka Regex) patterns that match various cryptocurrency wallets. If a match occurs, the malware will proceed to reroute the transaction, replacing the Clipboard wallet address with one controlled by the attacker.
Windows makers also noted that the new iteration introduces a fourth phase change in the infection chain. In particular, the applescript application executes shell commands to collect system information and obtains the final stage Applescript where it uses the Boot() function to launch various submodules.
In particular, the changes include additional checks for the Mozilla Firefox browser and modified logic to determine the existence of the Telegram messaging app. We also observe various module changes and new modules that were not present in previous versions.
vexyeqj, an information module previously called seizecj, downloads a module called BNK, which is run using oscialscript. The script defines the capabilities of data validation, encryption, decryption, retrieving additional data from the Command and Control (C2) server, and logging. It also includes a clipper feature. Set the module that removes files on the C2 server XMYYEQJX, a module similar to NEQ_CDYD_ILVCMWX, a module that removes files on the C2 server XMYYEQJX, a module that sets up LaunchDaemon-based persistence JEY, and a module that sets up GIT-based persistence IEWMILH_CDYD.
To mitigate the threat posed by XCSSET, it is recommended that users keep their systems up to date, inspect Xcode projects downloaded or cloned from repository or other sources, and be careful when copying and pasting sensitive data from the clipboard.
Source link
