XCSSET macOS malware continues to evolve, now it is able to steal login information from multiple apps, including Telegram and Google Chrome.
Security researchers from Trend Micro continues to monitor the evolution of the XCSSET macOS malware, new variants are able to steal login information from multiple apps, including Telegram and Google Chrome, and send them to C2.
In order to target Telegram, the malware creates the archive “telegram.applescript” for the “keepcoder.Telegram” folder which is located in the Group Containers folder (“~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram”).
Then attackers can copy the stolen folder on another machine with Telegram installed to act on behalf of the legitimate owner of the account.
Experts pointed out that the XCSSET malware can steal sensitive data using this technique because normal users can access the Application sandbox directory with read/write permissions.
“On macOS, the Application sandbox directory ~/Library/Containers/com.xxx.xxx and ~/Library/Group Containers/com.xxx.xxx can be accessed (with READ/WRITE permissions) by common users. This differs from the practice on iOS. Not all executable files are sandboxed on macOS, which means a simple script can steal all the data stored in the sandbox directory.” reads the analysis published by Trend Micro. “We recommend that application developers refrain from storing sensitive data in the sandbox directory, particularly those related to login information.”
Trend Micro also provides details about the technique use by the XCSSET malware to steal the passwords from Google Chrome using the Safe Storage Key, which is stored in “Chrome Safe Storage.”
XCSSET gets the safe_storage_key using the command security find- generic-password -wa ‘Chrome’, which requires root privileges. Then the malware puts all the operations that need root privilege together in a single function.
“The user is then prompted to grant these privileges via a fake dialog box. Once it has obtained the Chrome safe_storage_key, it decrypts all the sensitive data and uploads it to the C&C server.” states the report.
Once obtained the Safe Storage Key, the malware can decrypt the data and send it to the C2 server. The malicious code could use similar scripts to target the following applications:
Trend Micro observed some new domain names used in the attacks, the malware also uses a new module, “canary,” that performs XSS injection on the Chrome Canary browser from Google, which is an experimental version of the Chrome browser.
“The changes we’ve encountered in XCSSET do not reflect a fundamental change in its behavior but do constitute refinements in its tactics. The discovery of how it can steal information from various apps highlights the degree to which the malware aggressively attempts to steal various kinds of information from affected systems.” concludes the report.