"The infection chain looks familiar - four stages, culminating in the execution of various submodules - but the final stage has been reworked. Among the more notable changes is a module that targets Firefox, stealing information with the help of a retooled build of the open source HackBrowserData tool. There's also a new clipboard hijacker designed to monitor copied text and replace cryptocurrency wallet addresses with those belonging to the attackers."
"Additionally, Microsoft reports that the malware installs a LaunchDaemon that executes a hidden payload called .root and even drops a bogus System Settings.app file in /tmp to conceal its activity. The authors have also added more layers of obfuscation, including the use of run-only compiled AppleScripts, and the malware attempts to blunt Apple's defenses by disabling macOS automatic updates and Rapid Security Responses."
XCSSET is a macOS malware strain that infects developers by implanting itself into Xcode projects to deliver malicious payloads. The latest variant adds stealthy persistence via a LaunchDaemon that executes a hidden .root payload and drops a bogus System Settings.app in /tmp to mask activity. Operators increased obfuscation using run-only compiled AppleScripts and attempt to disable macOS automatic updates and Rapid Security Responses to evade detection. Final-stage modules include a retooled HackBrowserData build to harvest Firefox data and a clipboard hijacker that replaces cryptocurrency wallet addresses with attacker-controlled addresses. The campaign aims for prolonged stealth and monetization through crypto theft and data exfiltration.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]