- Microsoft detects the XCSSET MacOS Stolen stolen door used in limited targeted attacks
- The new variant steals Firefox data and diversion of diversion to redirect cryptocurrency transactions
- Apple and Github remove the campaign -related malicious
Microsoft warns against a new variant of a known macos stolen door which is based on previous iterations by providing additional capacities to attackers.
In his latest report, Microsoft Threat Intelligence claims to have seen an upgraded XCSSET MacOS stolen door used in “limited attacks”.
Developers who unconsciously used these compromise projects would create and execute their applications, which sparked malware. Once inside the system, XCSSET will settle down quietly and begin to steal sensitive data such as browser cookies, identification information and messages. It would also divert safari and other browsers to inject malicious code and bypass security protections.
Target Firefox and the clipboard
XCSSET was spotted for the first time in 2020 and is mainly known to infect XCODE development projects used by macOS developers.
XCODE is the Official Integrated Development Environment (IDE) of Apple for the creation of applications on macOS, iOS, iPados, Watchos and TVOS.
Five years later, Microsoft spotted a new version of XCSSET, with some notable changes.
First of all, it can now also steal Firefox browser data by installing a modified version of the Open Source HackbrowSerdata tool.
Second, it is delivered with a component that can divert the clipboard-a usual practice for criminals who seek to steal the cryptocurrency of people.
When the malicious software detects a cryptographic address in the clipboard, it will replace it with that belonging to the attackers, so that when the victim wishes to copy and paste the address of the receiver, he ends up sending money to the attackers.
Finally, the malicious software is delivered with a new method of persistence, by ensuring that it remains hidden on the compromised device, longer.
The good news is that Microsoft has only seen it in limited attacks, which means that it has not yet caused significant damage. He has already informed that Apple and Github, who are now working on the abolition of the campaign -related standards.
Via Bleeping Compompute
