"The latest variant of XCSSET has been found to incorporate a clipper sub-module that monitors clipboard content for specific regular expression (aka regex) patterns matching various cryptocurrency wallets. In the event of a match, the malware proceeds to substitute the wallet address in the clipboard with an attacker-controlled one to reroute transactions. The Windows maker also noted that the new iteration introduces changes to the fourth stage of the infection chain,"
"It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data. It also adds another persistence mechanism through LaunchDaemon entries."
"XCSSET is the name assigned to a sophisticated modular malware that's designed to infect Xcode projects used by software developers and unleash its malicious capabilities when it's being built. Exactly how the malware is distributed remains unclear, but it's suspected that the propagation relies on the Xcode project files being shared among developers building apps for macOS."
An updated XCSSET macOS malware variant expands browser targeting, adds clipboard hijacking for cryptocurrency wallets, and introduces new persistence via LaunchDaemon entries. The variant uses sophisticated encryption, obfuscation, and run-only compiled AppleScripts to execute stealthily. Infection occurs through compromised Xcode project files and activates during build processes, with a staged infection chain where an AppleScript fetches a final-stage script that gathers system information and launches modular components via a boot() function. The clipper sub-module watches clipboard contents for regex patterns matching wallet addresses and replaces matching addresses with attacker-controlled ones to reroute transactions.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]