Wednesday, April 17, 2024

macOS Malware Added New Weapons to Its Arsenal To Attack Google Chrome & Telegram

The security researchers of Trend Micro have recently detected that the XCSSET malware that has been outlined to attack the macOS operating system got updated. 

The analysts noted that the new updated version consists of a new feature, that enables the stealing of private data from different applications, which also includes the Google Chrome browser and the Telegram messenger.

However, this malware has been implementing different attacks since August 2020, and according to the analysts, this malware has various skills, like:-

  • Understanding and resetting the Safari cookies
  • Inserting malicious JavaScript on different websites
  • Stealing data from applications
  • Encrypts user files

How XCSSET Malware Steals Information?

Now the big question arises here that how this malware steals the data? Since it has been implementing various operations since August 2020, the security researchers detected that its first version initially accumulates data from different apps and transfers them back to back its command-and-control (C&C) server. 

However, the cybersecurity experts were not aware of how the threat actors use the stolen data.

The new updated version has targeted Telegram, and here the main motive of the malware is to decreasing the folder ~/Library/GroupContainers/” into a. ZIP file, and then later they upload the supposed file to a C&C server. 

Apart from Telegram, this new version of XCSSET malware has also targeted the Chrome browser of Google.

The experts have also found some steps that will help to find the main motive for collecting folder, and that’s why we have mentioned them below:-

  • At first install Telegram on both machines A and B./li>
  • Next to machine A, enter with a compelling Telegram account. And don’t do anything in the Telegram by using the machine B./li>
  • Next copy the “~/Library/Group Containers/” folder from machine A to machine B, and substitute the existing folder.
  • Lastly, run a Telegram on machine B. When all this is done you can see that you have already logged in with the same account that has been used on machine A.

Sensitive data targeted by XCSSET

XCSSET malware has been conducting such operations for a long time, and till now it has stolen loads of critical privacy data of various applications. 

However, this new version has also attacked Google Chrome, in that the data that has been stolen includes any passwords collected by the user to discard the data.

Apart from this, in this process the XCSSET malware requires to get the safe_storage_key using the command security find- generic-password -was ‘Chrome’. According to the report, once the Chrome safe_storage_key, is obtained, it simply decrypts all the delicate data and uploads it to the C&C server managed by the threat actors.

Apps Targeted

Below we have mentioned the apps that are targeted and abused:-

  • Apple’s own Contacts
  • Evernote
  • Notes
  • Opera
  • Skype
  • WeChat

New C&C Domains

Here is the list of new C&C domains used by the threat actors:-

  • atecasec[.]info
  • datasomatic[.]ru
  • icloudserv[.]ru
  • lucidapps[.]info
  • relativedata[.]ru
  • revokecert[.]ru
  • safariperks[.]ru


Moreover, this new version of XCSSET malware does not bring any fundamental change, but it has come up with some new techniques and features. However, one can protect themselves from such malware, by downloading different apps from legitimate sites.

Moreover, users can also use multilayered security solutions, as using such security solutions will implement complete security protection against this kind of cyberthreats.

Apart from Chrome and Telegram, XCSSET malware has also targetted and plunder sensitive information from various popular apps as well.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

LightSpy Hackers Target Indian Apple Device Users To Steal Sensitive Data

Hackers target Apple device users because they are perceived to be of higher social...

Trustifi’s Email Security Awareness Training – Empowering MSPs to Train & Protect Clients

In today's digital landscape, email security has become a critical concern for businesses of...

Personal Data Exposed in Massive Global Hack: Understanding the Implications & Guarding Privacy- Axios Security Group

In a digital age where information is the new currency, the recent global hack...

Ex-Security Engineer Jailed For Hacking Decentralized Cryptocurrency Exchanges

Ahmed exploited a vulnerability in a decentralized cryptocurrency exchange's smart contract by injecting fabricated...

Omni Hotels & Resorts Hack: Attackers have Stolen Customer Information

Omni Hotels & Resorts has revealed that it was the target of a recent...

Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.Dubbed...

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles