The security researchers of Trend Micro have recently detected that the XCSSET malware that has been outlined to attack the macOS operating system got updated.
The analysts noted that the new updated version consists of a new feature, that enables the stealing of private data from different applications, which also includes the Google Chrome browser and the Telegram messenger.
However, this malware has been implementing different attacks since August 2020, and according to the analysts, this malware has various skills, like:-
- Understanding and resetting the Safari cookies
- Inserting malicious JavaScript on different websites
- Stealing data from applications
- Encrypts user files
How XCSSET Malware Steals Information?
Now the big question arises here that how this malware steals the data? Since it has been implementing various operations since August 2020, the security researchers detected that its first version initially accumulates data from different apps and transfers them back to back its command-and-control (C&C) server.
However, the cybersecurity experts were not aware of how the threat actors use the stolen data.
The new updated version has targeted Telegram, and here the main motive of the malware is to decreasing the folder ~/Library/GroupContainers/6N38VWS5BX.ru.keepcoder.Telegram” into a. ZIP file, and then later they upload the supposed file to a C&C server.
Apart from Telegram, this new version of XCSSET malware has also targeted the Chrome browser of Google.
The experts have also found some steps that will help to find the main motive for collecting folder, and that’s why we have mentioned them below:-
- At first install Telegram on both machines A and B./li>
- Next to machine A, enter with a compelling Telegram account. And don’t do anything in the Telegram by using the machine B./li>
- Next copy the “~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram” folder from machine A to machine B, and substitute the existing folder.
- Lastly, run a Telegram on machine B. When all this is done you can see that you have already logged in with the same account that has been used on machine A.
Sensitive data targeted by XCSSET
XCSSET malware has been conducting such operations for a long time, and till now it has stolen loads of critical privacy data of various applications.
However, this new version has also attacked Google Chrome, in that the data that has been stolen includes any passwords collected by the user to discard the data.
Apart from this, in this process the XCSSET malware requires to get the safe_storage_key using the command security find- generic-password -was ‘Chrome’. According to the report, once the Chrome safe_storage_key, is obtained, it simply decrypts all the delicate data and uploads it to the C&C server managed by the threat actors.
Apps Targeted
Below we have mentioned the apps that are targeted and abused:-
- Apple’s own Contacts
- Evernote
- Notes
- Opera
- Skype
New C&C Domains
Here is the list of new C&C domains used by the threat actors:-
- atecasec[.]info
- datasomatic[.]ru
- icloudserv[.]ru
- lucidapps[.]info
- relativedata[.]ru
- revokecert[.]ru
- safariperks[.]ru
Mitigation
Moreover, this new version of XCSSET malware does not bring any fundamental change, but it has come up with some new techniques and features. However, one can protect themselves from such malware, by downloading different apps from legitimate sites.
Moreover, users can also use multilayered security solutions, as using such security solutions will implement complete security protection against this kind of cyberthreats.
