Microsoft Threat Intelligence reports that a new variant of the XCSSET macOS malware has been detected in limited attacks, incorporating several new features, including enhanced browser targeting, clipboard hijacking, and improved persistence mechanisms.
XCSSET is a modular macOS malware that acts as an infostealer and cryptocurrency stealer, stealing Notes, cryptocurrency wallets, and browser data from infected devices. The malware spreads by searching for and infecting other Xcode projects found on the device, so that the malware is executed when the project is built.
"The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built," explains Microsoft.
"We assess that this mode of infection and propagation banks on project files being shared among developers building Apple or macOS-related applications."
In a new variant observed by Microsoft, researchers have noted several changes.
It now attempts to steal Firefox browser data by installing a modified build of the open-source HackBrowserData tool, which is used to decrypt and export browser data from browser data stores.
The new variant also includes a clipboard-hijacking component update that monitors the macOS clipboard for regular expression patterns associated with cryptocurrency addresses.
When a crypto address is detected, it will replace the address with one belonging to the attacker. This causes any cryptocurrency sent by the user on an infected device to be sent to the attackers instead.
Attacker's cryptocurrency addresses used with the Clipboard hijacker
Source: Microsoft
... continue reading