A new version of the XCSSET malware is being used in limited attacks against macOS developers, according to Microsoft Threat Intelligence. This malware infects Xcode projects, allowing it to execute when the project is built and subsequently spread to other projects on the same machine. The primary goal of the malware is to steal sensitive information, including developer notes, cryptocurrency wallets, and browser data.
The latest variant introduces several dangerous upgrades. It now specifically targets the Firefox browser using a modified version of the HackBrowserData tool to extract saved information. Furthermore, it incorporates a clipboard hijacking feature that monitors for cryptocurrency addresses and silently replaces them with addresses controlled by the attacker, diverting payments.
To maintain persistence on infected systems, the malware creates new LaunchDaemon entries and disguises its activity with a fake System Settings application. While the current campaign is not widespread, Microsoft has shared its findings with Apple and GitHub to help mitigate the threat. Developers are advised to carefully inspect shared Xcode projects and keep their systems and software updated to protect against such attacks.
Read more...