Google Chrome data and Telegram accounts, targeted by a macOS Malware

August 1, 2021
Google Chrome Telegram Mac OS Malware XCSSET

There have been recent findings by security researchers about a strain of macOS malware wherein hackers have used specific methods, which indeed risks many applications, by stealing sensitive information and personal accounts. 

Local Xcode projects have been infected for more than a year by this malware called XCSSET. It has been actively progressing even up to now, and it mainly targets macOS developers. 


Telegram accounts and Chrome passwords at risk of cyber threats 

The malware XCSSET has a way of accumulating private information from the corrupted computer files possessed by specific targeted applications. The exfiltrated information will then be sent to the command-and-control server or C2. 

Telegram, an instant messaging software, is one example of the many applications pursued by the XCSSET malware. The “keepcoder.Telegram” folder under the Group Containers directory will generate an archive called the “telegram.applescript”, which is made by XCSSET. Through collecting the Telegram folder, hackers could act as the real account owners due to successfully stealing sensitive login information. 

The renowned cybersecurity researchers discussed that hackers can get into the victim accounts by replicating the stolen folder to another computer where the software Telegram is installed.


They also mentioned that the macOS malware XCSSET can easily sneak into victims’ sensitive information through this technique since regular application users can access the Application sandbox directory with read-and-write permissions in normal practice. 


Moreover, Trend Micro researchers also said that a simple script can easily steal data stored in the sandbox directory because not all executable files are sandboxed on MacOS. 

There is also a technique that’s been defined since 2016 researchers have analyzed, where passwords that are saved in Google Chrome have been used in stealing and which typically entails user interaction. The Safe Storage Key is the vital part of this process done by the threat actor. It can be found inside the account owner’s keychain as “Chrome Safe Storage.” 

These threat actors or attackers usually create a fake dialogue into tricking victims into sharing admin privileges with them. Once the Safe Storage Key has been obtained, decrypting stored passwords inside Google Chrome will be their next step. All data will then be sent to the command-and-control server or C2 when the operation is decrypted. Other applications and software such as Evernote, Contacts, Notes, Opera, Skype, and WeChat all have the exact scripts which exist in XCSSET for stealing sensitive data. 

The latest version of XCSSET malware seemed to have an up-to-date list of its command-and-control servers or C2, as examined as well by Trend Micro. It also appears to own a new “canary” module used for cross-site scripting or XSS injections through the Chrome Canary, an experimental web browser. 

XCSSET is still progressively evolving despite its recent update being less likely to obtain more advanced and substantial features. This malware is aiming to target ‘Big Sur’ or the most updated version of the macOS. XCSSET has been recently investigated as a zero-day vulnerability in bypassing several system protections for full disk access and preventing explicit content away from its user. 

About the author

Leave a Reply