It looks like the threat actor needs to get the Safe Storage Key, which is stored in the user’s keychain as “Chrome Safe Storage”, but they can use a fake dialog to trick the user into giving administrator privileges to all of the attacker’s operations necessary to get the Safe Storage Key that can decrypt passwords stored in Chrome.Īll the data is sent to the attacker’s command and control server, once decrypted. The method used to steal the passwords saved in Google Chrome was also analyzed by the researchers, and they discovered that a technique that requires user interaction is being used. Not all executable files are sandboxed on macOS, which means a simple script can steal all the data stored in the sandbox directory. XCSSET malware is able to steal sensitive data in this manner as normal users can access the Application sandbox directory with read and write permissions. The researchers at Trend Micro explained that when copying the stolen folder on another machine that has Telegram installed the attackers are able to gain access to the victim’s account. In this situation the malware works by creating the archive “telegram.applescript” for the “keepcoder.Telegram” folder under the Group Containers directory that is how it allows the hackers to log into the messaging app as the legitimate owner of the account. The Telegram instant messaging software was one of the targeted apps by the XCSSET malware. The XCSSET malware steals files with sensitive information from specific apps only to send them afterwards to a remote command and control C2 server from the infected macOS machines. XCSSET Malware Goes After Sensitive Information The malware was dubbed XCSSET and it looks like is evolving, as it has been targeting macOS developers for more than a year by infecting local Xcode projects. The XCSSET malware is a strain of macOS malware that has been used to access and illegally procure user login information from multiple apps.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |