Hackers use ‘sophisticated’ macOS malware to steal cryptocurrency, Microsoft says

Researchers have discovered a new variant of malware targeting macOS systems to steal cryptocurrency and data without being detected.

In a report released on Monday, threat intelligence specialists at Microsoft said that they have discovered the new XCSSET strain in limited attacks. XCSSET, first spotted in the wild in August 2020, spreads by infecting Xcode projects, which developers use to create apps for Apple devices.

The variant uncovered by Microsoft is updated with new features designed to evade detection, persist within the victim’s network and spread through new techniques. Similar to the older version, the new malware targets digital wallets, collects data from the Notes app, and exfiltrates system information and files.

“Users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware typically spreads through infected projects,” Microsoft said. “They should also only install apps from trusted sources, such as a software platform’s official app store.”

Several other researchers have posted reports recently about malware variants used for cryptocurrency and data theft.

In a campaign discovered earlier in December, hackers targeted the cryptocurrency and fintech sectors with a new stealer malware, which researchers named Zhong Stealer. The attackers exploited customer service platforms like Zendesk, posing as customers to trick unsuspecting support agents into downloading the malware. According to researchers, Zhong Stealer exfiltrates stolen data, including credentials and browser extension data, and sends it to servers in Hong Kong.

Slovenia’s computer emergency response team also discovered two malware samples — BeaverTail and InvisibleFerret — that steal data from companies and individuals involved in Web3 technology, such as smart contracts, cryptocurrencies, and blockchain technology.

Researchers haven’t attributed this campaign to a specific threat actor, but previous security experts have linked similar attacks to those carried out by state-sponsored hackers from North Korea.