XCSSET Mac Malware

[Massimiliano]

Is there anything known about, at least as far as Malwarebytes is concerned, the new Mac Malware infecting the XCode projects found by TrendMicro (link here on TrendMicro Blog XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits)?

Thanks

Greetings

Massimiliano

[GuruGuy]

Great question that I was going to ask and got sidetracked and forgot...

[treed]

I don't think there's anything to share that isn't already in Trend's report, except to note that we detect the malware as OSX.DubRobber. Trend's report noted that they were primarily seeing it in India and China, and I can confirm that we also have primarily seen it in India. Cases outside India have been quite sparse.

[GuruGuy]

3 minutes ago, treed said:

I don't think there's anything to share that isn't already in Trend's report, except to note that we detect the malware as OSX.DubRobber. Trend's report noted that they were primarily seeing it in India and China, and I can confirm that we also have primarily seen it in India. Cases outside India have been quite sparse.

So MB 4.0.493 definitions from the end of July (as I'm told) detect this threat?  This "new" threat that everyone is just now reporting on, MB had it in the latest definitions 4.0.493 at the end of July.  That is the latest definition update, correct

[treed]

Yes, that is correct. We were already detecting it before Trend released their findings.

[GuruGuy]

Just now, treed said:

Yes, that is correct. We were already detecting it before Trend released their findings.

Thanks

[TarryFaster]

This came out from Kim Kamando:
https://www.komando.com/security-privacy/chrome-mac-malware/801121/?utm_medium=nl&utm_source=apple&utm_content=2021-08-02

Has Malwarebytes got a handle on it?

 

[Massimiliano]

11 minutes ago, TarryFaster said:

This came out from Kim Kamando:
https://www.komando.com/security-privacy/chrome-mac-malware/801121/?utm_medium=nl&utm_source=apple&utm_content=2021-08-02

Has Malwarebytes got a handle on it?

 

I am not an expert but it seems to me only an article for advertising purposes trying to infuse fear

Cite verbally

Quote

When the virus retrieves the master password for Keychain, it uploads usernames and passwords stored in Google Chrome to the same remote server.

For what little I know the iCloud keychain and the credentials stored in Google Chrome are two entities completely disconnected

Again

Quote

We recommend our sponsor, TOTALAV

More than an article by Cybersecurity Experts, admitted and not granted that the news is real, it seems to me to be considered like Mackeeper's sponsorships (from both I keep very far away)

In addition, searching online, it appears that Kimberly Ann Komando conducts a radio broadcast on consumer technology not really the meeting of the maximum experts on the subject.
However, surely @treed or other staff members will be able to give greater and more precise information about it

 

[TarryFaster]

Here is how I addressed the issue in my news letter to my 220 clients:

NOTE from Terry Sneller: Since I have recommended the free version of Malwarebytes, for years, you may like to know that Malwarebytes has already got this issue covered.  Here is a screenshot of a Malwarebytes Forum discussing the XCSSET malware:
 

 

[treed]

1 hour ago, TarryFaster said:

This came out from Kim Kamando:
https://www.komando.com/security-privacy/chrome-mac-malware/801121/?utm_medium=nl&utm_source=apple&utm_content=2021-08-02

Has Malwarebytes got a handle on it?

Yup, we detect XCSSET, though we call it OSX.DubRobber.

Some commentary on the Kim Komando article:

1. There are a number of factual inaccuracies... examples:
   1. There was no "jump" from macOS to other apps
   2. This was NOT the first upgrade to XCSSET
   3. This did not give it any better ability to run on M1, as the malware is mostly written in AppleScript
2. The article recommends a program that we detect as a potentially unwanted program
3. Kim Komando has absolutely no credibility in the security space at a very minimum. (I'd extend that to say she has absolutely no credibility, but ...)