News/Tech News

Malware updates for macOS Monterey with Python 3

Published on Aug 30, 2022

With XCSSET macOS malware, the operators have added support for macOS Monterey by upgrading its source code components to Python 3.

SentinelOne researchers Phil Stokes and Dinesh Devadoss said in a report that malware authors changed from hiding the primary executable in a fake in 2020 to a fake in 2021 and now to a fake in 2022.

XCSSET has many moving parts that allow it to steal sensitive information from Apple Notes, WeChat, Skype, and Telegram; inject malicious JavaScript code into various websites; and dump Safari cookies.

As part of infection chains, a dropper compromises users’ Xcode projects with the backdoor, which also masquerades as either system software or the Google Chrome web browser application.

A primary executable is an AppleScript that retrieves second-stage AppleScript payloads from a network of servers that siphon data from web browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Yandex Browser, and chat apps like WeChat and Telegram.

According to the researchers, the threat actor also uses a custom AppleScript (“listing.applescript”) to determine “if the victim has updated their XProtect and MRT malware removal tools, presumably so that they can target them with more effective payloads.”

A novel aspect of the attack is that the malware is deployed within Xcode projects to propagate via GitHub repositories.

Furthermore, the malware uses Python scripts to drop fake application icons on the macOS Dock and steal data from the pre-installed Notes app.

A significant feature of the latest version of XCSSET is that Apple has removed Python 2.7 from macOS 12.3 on March 14, 2022, which has caused AppleScripts to be modified, indicating that the malware authors are constantly updating the malware to increase the likelihood of its success.

Safari_remote.applescript has been updated by the adversary to eliminate Python 2 in favor of Python 3 for macOS Monterey 12.3 and above.

Despite being in the wild for two years, little is known about the identity of the threat actors or their motivations. However, XCSSET malware attacks have been reported in China as recently as May 2022 that demanded 200 USDT for account unlocking.

“At this point in time, it’s unclear whether these repos are victims or plants by hackers,” the researchers write. The tutorials and screencasts for novice developers may point unsuspecting users to the infected repositories.

Tech News

Time-Series Data Management Powered

Time-Series Data Management Powered by Cloud-Native Architecture

TDengine, the open-source platform for time-series data in IoT applications, announces the release of TDengine 3.0. The new version…

Windows confirmed by VMware

BSODs, boot loops in Windows confirmed by VMware

A VMware update on some versions of its Carbon Black endpoint solution is causing BSODs and boot loops on Windows machines…

Our Latest Blog

Unlock Your Potential with a Level 5 Diploma in Business London's Top Courses img

Unlock Your Potential with a Level 5 Diploma in Business: London’s Top Courses

Are you looking to enhance your knowledge and skills in the field of business? Do...
Read More
Unlock Your Potential with Level 4 Diploma in Business Courses in London img

Unlock Your Potential with Level 4 Diploma in Business Courses in London

Are you looking for a comprehensive course to take your business career to the next...
Read More

Follow Us


Browse LSET presentations to understand interesting…

Explore Now

Get complete guides to empower yourself academically…

Explore Now

Learn about information technology and business…

Explore Now