An ongoing XCSSET malware campaign has been observed in which the attackers seem to have updated some of the malware's features. The malware primarily focuses on sensitive or important information, which can be repurposed into social engineering attacks to amplify threats.
About the XCSSET updates
Researchers from Trend Micro laid bare the details of the malware. XCSSET steals critical data from the applications saved in sandbox directories of macOS.
Attackers found using a malicious AppleScript file telegram[.]applescript for compressing the folder ~/Library/Group Containers/6N38VWS5BX[.]ru[.]keepcoder[.]Telegram into a ZIP file, that is uploaded to a C2 server.
Moreover, in the bootstrap[.]applescript, researchers observed a new set of domains and IP Addresses being used for C&C communications.
Attackers also added a new canary module to perform XSS injection on Google's Chrome Canary browser to steal data.
Stealing data from apps
The Application sandbox directory on macOS can be accessed by common users, which implies that a simple malicious script can be used to steal all the data saved in the sandbox directory.
The malware adds all operations that require root privilege together in a single function in Chrome to get the safe_storage_key. After getting the key, the stolen data is ushered to the C2 server.
Similar malicious scripts have been earlier spotted targeting other applications such as Contacts, Evernote, Notes, Opera, Skype, and WeChat for the goal of stealing sensitive data.
Conclusion
The recent report about the XCSSET malware does not indicate any major changes in the malware’s core capabilities. These changes correspond to a gradual fine-tuning of its tactics. Furthermore, the malware is trying to steal information from a large number of applications, including sandbox directories. This indicates that the malware developers are well versed with technical skills, and have a clear idea about what they need and how to get it.