XCSSET MacOS malware steals Telegram password and Google Chrome data

New variants of the XCSSET macOS malware are able to steal login information from several apps, including Telegram and Google Chrome, and send it to C2, according to Trend Micro security researchers.



The trojan produces the archive “telegram.applescript” for the “keepcoder.Telegram” folder in the Group Containers folder (“/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram”) in order to attack Telegram.


The attackers can then copy the stolen files to another computer that has Telegram installed in order to act on behalf of the account’s legitimate owner.


Experts pointed out that the XCSSET malware can use this technique to steal sensitive data because normal users have read/write permissions on the Application sandbox directory.


“On macOS, the Application sandbox directory ~/Library/Containers/com.xxx.xxx and ~/Library/Group Containers/com.xxx.xxx can be accessed (with READ/WRITE permissions) by common users. This differs from the practice on iOS. Not all executable files are sandboxed on macOS, which means a simple script can steal all the data stored in the sandbox directory.” reads the analysis published by Trend Micro. “We recommend that application developers refrain from storing sensitive data in the sandbox directory, particularly those related to login information.” 


Trend Micro also goes into depth on how the XCSSET malware uses the Safe Storage Key, which is saved in “Chrome Safe Storage,” to steal passwords from Google Chrome.


The command security find- generic-password -wa ‘Chrome’ is used by XCSSET to retrieve the safe storage key, which requires root capabilities. The malware then bundles all of the activities that require root privilege into a single function.


“The user is then prompted to grant these privileges via a fake dialog box. Once it has obtained the Chrome safe_storage_key, it decrypts all the sensitive data and uploads it to the C&C server.” states the report.


The malware can decrypt the data and transfer it to the C2 server after it has received the Safe Storage Key. Similar scripts could be used by the malicious code to target the following applications:

  • Contacts
  • Evernote
  • Notes
  • Opera
  • Skype
  • WeChat


Trend Micro discovered some new domain names used in the assaults, as well as a new module called “canary” that executes XSS injection on Google’s Chrome Canary browser, which is an experimental version of Chrome.


“The changes we’ve encountered in XCSSET do not reflect a fundamental change in its behavior but do constitute refinements in its tactics. The discovery of how it can steal information from various apps highlights the degree to which the malware aggressively attempts to steal various kinds of information from affected systems.” concludes the report.



You might also like:



Signal fixed an old bug that sent random images to wrong contacts

Kaseya obtained a universal decryptor for REvil ransomware attack

Another Twitter hacker arrested, involved in the 2020 twitter hack

APT hackers spread Android malware through Syrian e-Gov portal