- Microsoft detects the updated XCSset MacSset door used in limited directed attacks
- The new variant steals Firefox and Kidnapping Portable data to redirect cryptocurrency transactions
- Apple and Github are eliminating malicious repositories linked to the campaign
Microsoft warns about a new variant of a known macOS rear door that is based on previous iterations by providing additional capabilities for attackers.
In his latest report, Microsoft Menazing Intelligence claims to have seen an updated XCSset Macsset door that is used in “limited attacks.”
The developers who without knowing it used these committed projects would build and execute their applications, which triggered the malware. Once inside the system, XCSset would be installed silently and start stealing confidential data such as cookies, credentials and browser messages. It would also kidnap Safari and other browsers to inject malicious code and omit security protections.
Aimed at Firefox and the Portpapeles
XCSset was first seen in 2020, and is mainly known to infect Xcode development projects used by macOS developers.
Xcode is the Integrated Development Environment (IDE) of Apple to build applications in macOS, iOS, Ipados, Watchos and TVOS.
Five years later, Microsoft saw a new version of Xcsset, with some notable changes.
First, now you can steal Firefox browser data, installing a modified compilation of the open source Hackbrowserdata tool.
Secondly, it comes with a component that can kidnap the clipboard, a usual practice for criminals that seek to steal the cryptocurrency of people.
When the malware detects an encryption address on the clipboard, it will replace it with the one that belongs to the attackers, so that when the victim wants to copy and paste the address of the receiver, they actually end up sending money to the attackers.
Finally, malware comes with a new method of persistence, making sure it remains hidden in the committed device, for a longer time.
The good news is that Microsoft only saw it in limited attacks, which means that it has not yet caused significant damage. He already notified Apple and Github, who are now working to eliminate repositories linked to the campaign.
Through Bleepingcomputer
