- Microsoft detects upgraded XCSSET macOS backdoor used in limited targeted attacks
- New variant steals Firefox data and hijacks clipboard to redirect cryptocurrency transactions
- Apple and GitHub are removing malicious repositories linked to the campaign
Microsoft is warning about a new variant of a known macOS backdoor which builds on previous iterations by providing additional capabilities for the attackers.
In its latest report, Microsoft Threat Intelligence claims to have seen an upgraded XCSSET macOS backdoor being used in “limited attacks”.
Developers who unknowingly used these compromised projects would build and run their apps, which triggered the malware. Once inside the system, XCSSET would quietly install itself and begin stealing sensitive data like browser cookies, credentials, and messages. It would also hijack Safari and other browsers to inject malicious code and bypass security protections.
Targeting Firefox and the clipboard
XCSSET was first spotted in 2020, and is primarily known for infecting Xcode development projects used by macOS developers.
Xcode is Apple’s official integrated development environment (IDE) for building apps on macOS, iOS, iPadOS, watchOS, and tvOS.
Five years later, Microsoft spotted a new version of XCSSET, with a few notable changes.
First, it can now steal Firefox browser data, too, by installing a modified build of the open-source HackBrowserData tool.
Second, it comes with a component that can hijack the clipboard – a usual practice for criminals looking to steal people’s cryptocurrency.
When the malware detects a crypto address in the clipboard, it will replace it with the one belonging to the attackers, so that when the victim wants to copy and paste the receiver address, they actually end up sending money to the attackers.
Finally, the malware comes with a new persistence method, making sure it remains hidden on the compromised device, for longer.
The good news is that Microsoft only saw it in limited attacks, meaning it hasn’t yet made significant damage. It already notified both Apple and GitHub, who are now working on removing the repositories linked to the campaign.
Via BleepingComputer
