Malware updates for macOS Monterey with Python 3

Published on Aug 30, 2022

With XCSSET macOS malware, the operators have added support for macOS Monterey by upgrading its source code components to Python 3.

SentinelOne researchers Phil Stokes and Dinesh Devadoss said in a report that malware authors changed from hiding the primary executable in a fake Xcode.app in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022.

XCSSET has many moving parts that allow it to steal sensitive information from Apple Notes, WeChat, Skype, and Telegram; inject malicious JavaScript code into various websites; and dump Safari cookies.

As part of infection chains, a dropper compromises users’ Xcode projects with the backdoor, which also masquerades as either system software or the Google Chrome web browser application.

A primary executable is an AppleScript that retrieves second-stage AppleScript payloads from a network of servers that siphon data from web browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Yandex Browser, and chat apps like WeChat and Telegram.

According to the researchers, the threat actor also uses a custom AppleScript (“listing.applescript”) to determine “if the victim has updated their XProtect and MRT malware removal tools, presumably so that they can target them with more effective payloads.”

A novel aspect of the attack is that the malware is deployed within Xcode projects to propagate via GitHub repositories.

Furthermore, the malware uses Python scripts to drop fake application icons on the macOS Dock and steal data from the pre-installed Notes app.

A significant feature of the latest version of XCSSET is that Apple has removed Python 2.7 from macOS 12.3 on March 14, 2022, which has caused AppleScripts to be modified, indicating that the malware authors are constantly updating the malware to increase the likelihood of its success.

Safari_remote.applescript has been updated by the adversary to eliminate Python 2 in favor of Python 3 for macOS Monterey 12.3 and above.

Despite being in the wild for two years, little is known about the identity of the threat actors or their motivations. However, XCSSET malware attacks have been reported in China as recently as May 2022 that demanded 200 USDT for account unlocking.

“At this point in time, it’s unclear whether these repos are victims or plants by hackers,” the researchers write. The tutorials and screencasts for novice developers may point unsuspecting users to the infected repositories.