XCSSET, classified as an ongoing malware campaign by Trend Micro, is targeting MacOS users’ information by infecting Xcode projects. The most recent campaign has been spotted targeting Google Chrome and Telegram installations through Apple Scripts. A report by Trend Micro explains that because not all apps run in a sandboxed mode on MacOS, it’s possible for any user to read many of the installed application’s data directories. By copying the data from the Telegram installation to another system, it is possible to access the victim’s Telegram account. XCSSET also targets saved passwords in Google Chrome, though it isn’t quite as easy. Google Chrome protects saved credentials through a “safe_storage_key” which requires root permissions to read. To get around this, the malware author created a fake security dialog prompting the victim to grant it permission. Once the victim accepts, the passwords are then decrypted and sent to a command and control (C2) server.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is