New XCSSET macOS Malware Variant Hijacks Cryptocurrency Transactions

The malware now uses a four-stage infection chain, has an additional persistence mechanism, and also targets Firefox browser data.

An updated variant of the sophisticated XCSSET macOS malware is monitoring the system clipboard to hijack cryptocurrency transactions, Microsoft warns.

First observed in the wild half a decade ago, XCSSET spreads via malicious Xcode projects, abusing Apple’s integrated development environment for macOS.

The malware was designed to steal information from various chat applications, steal files, inject code in websites, and drop ransom notes, and has received several updates over time.

The most recent variant, Microsoft says, includes an additional persistence mechanism and brings changes to browser targeting and clipboard hijacking.

The threat employs a four-stage infection chain, with changes to its boot function, which now includes additional checks for Firefox and a modified check for Telegram.

At the fourth stage of the chain, the malware fetches a run-only compiled AppleScript ...