Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New XcodeSpy Mac Malware Targets Software Developers

A recently discovered Mac malware has been used by unknown threat actors to target software developers who use Apple’s Xcode integrated development environment.

A recently discovered Mac malware has been used by unknown threat actors to target software developers who use Apple’s Xcode integrated development environment.

Endpoint security company SentinelOne reported on Thursday that the malware, which it has named XcodeSpy, appears to deliver a custom variant of a backdoor known as EggShell, which allows its operators to spy on users. The backdoor can be used to upload and download files, and capture data from the victim’s camera, microphone and keyboard.

SentinelOne learned about the malware from an anonymous researcher, but the company also spotted XcodeSpy in the wild in late 2020 at an organization in the United States. This victim told SentinelOne that it’s regularly targeted by threat actors linked to North Korea and they came across the malware while conducting threat hunting activities.

Based on samples uploaded to VirusTotal, the malware may have also been used in attacks aimed at developers in Japan.

The cybersecurity firm has found evidence that the campaign involving XcodeSpy was active at least between July and October 2020. In at least one instance, the malware was delivered as a trojanized version of an open source Xcode project offered to iOS developers.

“The XcodeSpy version has been subtly changed to execute an obfuscated Run Script when the developer’s build target is launched,” SentinelOne explained in its blog post. “The script contacts the attackers’ C2 and drops a custom variant of the EggShell backdoor on the development machine.”

The company has not found any other trojanized Xcode projects, but believes that other similar malicious projects could exist.

“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” SentinelOne said.

Advertisement. Scroll to continue reading.

This is not the first piece of malware that has been observed targeting Xcode developers. Back in 2015, a threat named XcodeGhost had allowed attackers to inject malicious code into hundreds of legitimate applications using rogue versions of Xcode that developers downloaded from third-party websites.

More recently, a piece of Mac malware named XCSSET was seen spreading through code injected into Xcode projects, with the payload being executed when the project was built. XCSSET allows its operators to launch ransomware attacks and steal data from victims. It was recently analyzed by researchers at Kaspersky, who discovered a variant designed to run on devices powered by Apple’s M1 chip.

Related: Several New Mac Malware Families Attributed to North Korean Hackers

Related: ThiefQuest Mac Malware Includes Ransomware, Data Theft Capabilities

Related: Repurposing Mac Malware Not Difficult, Researcher Shows

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.