A new threat has emerged for macOS users. Identified as XcodeSpy, the malware spies on Mac users of Xcode IDE by delivering the EggShell backdoor.
XcodeSpy Mac Malware
Researchers from SentinelOne have elaborated on a new malware threatening macOS users. They found the malware to be active in the wild, targeting iOS developers.
As revealed, SentinelOne got the tip from an anonymous developer about a trojanized Xcode project in the wild.
Investigating the matter revealed that the threat actors have modified an otherwise legitimate project on GitHub to develop the malicious version. Ideally, this legit project provides advanced animation for iOS Tab Bar as per user interaction.
However, with the variant bundled with the malware identified as “XcodeSpy”, the attackers aim at spying on users’ activities.
For this, the attackers have modified the project to execute an obfuscated Run script that further communicates with the C2 to deliver the backdoor. As stated,
The XcodeSpy version… has been subtly changed to execute an obfuscated Run Script when the developer’s build target is launched. The script contacts the attackers’ C2 and drops a custom variant of the EggShell backdoor on the development machine. The malware installs a user LaunchAgent for persistence and is able to record information from the victim’s microphone, camera, and keyboard.
Details about the malware are available in the researchers’ post.
Malware Active In The Wild
The researchers found two variants of XcodeSpy samples on VirusTotal that were seemingly uploaded on August 5, 2020, and October 13, 2020, from Japan.
Besides, they also found this Mac malware active in the United States as well in later 2020.
Regarding the motives behind XcodeSpy Mac malware, the researchers stated,
It is entirely possible that XcodeSpy may have been targeted at a particular developer or group of developers, but there are other potential scenarios with such high-value victims. Attackers could simply be trawling for interesting targets and gathering data for future campaigns, or they could be attempting to gather AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures. These suggestions do not exhaust the possibilities, nor are they mutually exclusive.
Therefore, all Mac users, particularly, the iOS developers globally, should remain wary of this malware.