New XcodeSpy Mac Malware Targets Software Developers

A recently discovered Mac malware has been used by unknown threat actors to target software developers who use Apple’s Xcode integrated development environment.

Endpoint security company SentinelOne reported on Thursday that the malware, which it has named XcodeSpy, appears to deliver a custom variant of a backdoor known as EggShell, which allows its operators to spy on users. The backdoor can be used to upload and download files, and capture data from the victim’s camera, microphone and keyboard.

SentinelOne learned about the malware from an anonymous researcher, but the company also spotted XcodeSpy in the wild in late 2020 at an organization in the United States. This victim told SentinelOne that it’s regularly targeted by threat actors linked to North Korea and they came across the malware while conducting threat hunting activities.

Based on samples uploaded to VirusTotal, the malware may have also been used in attacks aimed at developers in Japan.

The cybersecurity firm has found evidence that the campaign involving XcodeSpy was active at least between July and October 2020. In at least one instance, the malware was delivered as a trojanized version of an open source Xcode project offered to iOS developers.

“The XcodeSpy version has been subtly changed to execute an obfuscated Run Script when the developer’s build target is launched,” SentinelOne explained in its blog post. “The script contacts the attackers’ C2 and drops a custom variant of the EggShell backdoor on the development machine.”

The company has not found any other trojanized Xcode projects, but believes that other similar malicious projects could exist.

“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” SentinelOne said.

This is not the first piece of malware that has been observed targeting Xcode developers. Back in 2015, a threat named XcodeGhost had allowed attackers to inject malicious code into hundreds of legitimate applications using rogue versions of Xcode that developers downloaded from third-party websites.

More recently, a piece of Mac malware named XCSSET was seen spreading through code injected into Xcode projects, with the payload being executed when the project was built. XCSSET allows its operators to launch ransomware attacks and steal data from victims. It was recently analyzed by researchers at Kaspersky, who discovered a variant designed to run on devices powered by Apple’s M1 chip.

Related: Several New Mac Malware Families Attributed to North Korean Hackers

Related: ThiefQuest Mac Malware Includes Ransomware, Data Theft Capabilities

Related: Repurposing Mac Malware Not Difficult, Researcher Shows