A technique used by a specific MacOs malware, identified simply as “XCSSET,” steals users’ login information across multiple apps, providing operators with the necessary account theft details.
According to Trend Micro researchers, the malware, which infects local Xcode projects, collects sensitive information from certain applications from infected computer files that it sends to the command and control (C2) server.
Targeting Telegram among other malware applications, the malware created the “telegram.applescript” for the “keepcoder.Telegram” allowing attackers to log into the messaging app as the legitimate owner of the account.
For Google Chrome, the threat actors use a fake dialog to trick users into gaining administrator privileges for all of the attacker’s operations needed to get the Safe Storage Key which is stored in the user’s keychain as “chrome safe storage.” The threat actors gain the information needed to decrypt passwords stored in Chrome.
For more information, read the original story in BleepingComputer.