"At the fourth stage of the chain, the malware fetches a run-only compiled AppleScript that defines functions related to data validation, encryption, decryption, and for obtaining additional data from the command-and-control (C&C) server. The script also contains functions associated with clipboard monitoring, which allows it to identify cryptocurrency addresses and replace them with content defined in a list of attacker-controlled addresses."
"The malware was also seen fetching from the C&C another script with file exfiltration capabilities, and setting up LaunchDaemon persistence by creating a file containing the payload in the user's home directory. It was also seen modifying system configurations to execute commands that disabled the macOS security configuration updates and Rapid Security Response mechanism. The new malware variant also includes an info-stealer module targeting the Firefox browser."
An updated XCSSET macOS malware variant monitors the system clipboard to hijack cryptocurrency transactions and targets multiple browsers. The malware spreads via malicious Xcode projects and uses a four-stage infection chain with a modified boot function that adds Firefox checks and alters Telegram checks. At stage four the malware fetches a run-only AppleScript that handles data validation, encryption, decryption, C&C communications, and clipboard monitoring to replace detected cryptocurrency addresses with attacker-controlled addresses. The malware also fetches scripts for file exfiltration, installs LaunchDaemon persistence in the user's home directory, disables macOS security configuration updates and Rapid Security Response, and creates a fake System Settings application while adding a Firefox info-stealer module.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]