- Microsoft detects Upgraded XCSSET MACOS BACK DOUTH USED IN LIMITED TARGETED ATTACE
- New Variant steals Firefox -Data and hijacking clipboard to redirect cryptocurrency -transactions
- Apple and GitHub Removing malicious storage locations attached to the campaign
Microsoft warns of a new variant of a well -known macOS back door based on previous iterations by providing additional capabilities to attackers.
In his latest report, Microsoft Threat Intelligence claims to have seen an upgraded XCSSET -MacOS back door used in “limited attacks”.
Developers who unconsciously used these compromised projects would build and run their apps that triggered malware. When it was inside the system, XCSSET would quietly install itself and start stealing sensitive data such as browser cookies, credentials and messages. It would also hijack Safari and other browsers to inject malicious code and bypass security protection.
Targeting Firefox and the Clipboard
XCSSET was first spotted in 2020 and is primarily known for infecting Xcode development projects used by macOS developers.
Xcode is Apple’s official integrated development environment (idea) for building apps on MacOS, iOS, iPados, Watchos and Tvos.
Five years later, Microsoft discovered a new version of XCSSET with a few notable changes.
First, it can now steal Firefox browser data by installing a changed structure of the open source hackbrowser data tool.
Secondly, it comes with a component that can hijack the clipboard – a usual practice for criminals who want to steal people’s cryptocurrency.
When Malware detects a crypto address in the clipboard, it replaces it with the one belonging to the striker, so when the victim wants to copy and paste the recipient address, they actually end up sending money to the striker.
Finally, malware comes with a new persistence method that ensures that it remains hidden on the compromised device longer.
The good news is that Microsoft only saw it in limited attacks, which means it has not yet done significant damage. It already informed both Apple and GitHub, who are now working to remove the depots attached to the campaign.
Via Bleeping computer
