Thursday, March 28, 2024

macOS Malware Added New Weapons to Its Arsenal To Attack Google Chrome & Telegram

The security researchers of Trend Micro have recently detected that the XCSSET malware that has been outlined to attack the macOS operating system got updated. 

The analysts noted that the new updated version consists of a new feature, that enables the stealing of private data from different applications, which also includes the Google Chrome browser and the Telegram messenger.

However, this malware has been implementing different attacks since August 2020, and according to the analysts, this malware has various skills, like:-

  • Understanding and resetting the Safari cookies
  • Inserting malicious JavaScript on different websites
  • Stealing data from applications
  • Encrypts user files

How XCSSET Malware Steals Information?

Now the big question arises here that how this malware steals the data? Since it has been implementing various operations since August 2020, the security researchers detected that its first version initially accumulates data from different apps and transfers them back to back its command-and-control (C&C) server. 

However, the cybersecurity experts were not aware of how the threat actors use the stolen data.

The new updated version has targeted Telegram, and here the main motive of the malware is to decreasing the folder ~/Library/GroupContainers/6N38VWS5BX.ru.keepcoder.Telegram” into a. ZIP file, and then later they upload the supposed file to a C&C server. 

Apart from Telegram, this new version of XCSSET malware has also targeted the Chrome browser of Google.

The experts have also found some steps that will help to find the main motive for collecting folder, and that’s why we have mentioned them below:-

  • At first install Telegram on both machines A and B./li>
  • Next to machine A, enter with a compelling Telegram account. And don’t do anything in the Telegram by using the machine B./li>
  • Next copy the “~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram” folder from machine A to machine B, and substitute the existing folder.
  • Lastly, run a Telegram on machine B. When all this is done you can see that you have already logged in with the same account that has been used on machine A.

Sensitive data targeted by XCSSET

XCSSET malware has been conducting such operations for a long time, and till now it has stolen loads of critical privacy data of various applications. 

However, this new version has also attacked Google Chrome, in that the data that has been stolen includes any passwords collected by the user to discard the data.

Apart from this, in this process the XCSSET malware requires to get the safe_storage_key using the command security find- generic-password -was ‘Chrome’. According to the report, once the Chrome safe_storage_key, is obtained, it simply decrypts all the delicate data and uploads it to the C&C server managed by the threat actors.

Apps Targeted

Below we have mentioned the apps that are targeted and abused:-

  • Apple’s own Contacts
  • Evernote
  • Notes
  • Opera
  • Skype
  • WeChat

New C&C Domains

Here is the list of new C&C domains used by the threat actors:-

  • atecasec[.]info
  • datasomatic[.]ru
  • icloudserv[.]ru
  • lucidapps[.]info
  • relativedata[.]ru
  • revokecert[.]ru
  • safariperks[.]ru

Mitigation

Moreover, this new version of XCSSET malware does not bring any fundamental change, but it has come up with some new techniques and features. However, one can protect themselves from such malware, by downloading different apps from legitimate sites.

Moreover, users can also use multilayered security solutions, as using such security solutions will implement complete security protection against this kind of cyberthreats.

Apart from Chrome and Telegram, XCSSET malware has also targetted and plunder sensitive information from various popular apps as well.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles