Find malware with backdoor creation & spying capabilities targeting Apple app developers

A backdoor-targeted malware ' XcodeSpy ' was found in Apple's integrated software development environment '

Xcode' that came with Mac OS X. XcodeSpy can not only create a backdoor in Xcode to leak data, but also add malicious code to applications created in Xcode after infection.

New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor --SentinelLabs

Hackers target Apple developers with backdoor --CyberScoop

Trojanized Xcode Project Slips MacOS Malware to Apple Developers | Threatpost

Attackers are trying awfully hard to backdoor iOS developers' Macs | Ars Technica

The new malware targeting Xcode was reported by American cybersecurity startup SentinelOne . XcodeSpy is a Trojan horse malware that connects to the attacker's server each time you launch a developer build and automatically installs a custom version of the open source tool EggShell that monitors your microphone, camera, and keyboard.

According to SentinelOne's research, XcodeSpy runs a custom shell script when developers launch instances of their applications. As a result of verification that Xcode Spy is actually used for open source software, it has been confirmed that obfuscated scripts are included.

This obfuscation was fairly simple: when decrypted it would execute the mysterious command 'mdbcmd' via a reverse shell built into the attacker's server called 'cralev [.] Me'. Since cralev [.] Me was already offline at the time of discovery, further analysis is impossible.

At the time of the press, SentinelOne confirmed the damage to Xcode Spy by only one American company. Although the damage situation has not been disclosed from the perspective of confidentiality, the company has been repeatedly attacked by North Korean APT attack groups. Attacks using XcodeSpy took place in July-October 2020, and SentinelOne warns developers in Asia in particular, saying that there are other companies that have been affected.

Xcode is often the target of attacks, and in 2015, the malware 'Xcode Ghost' targeting Xcode published on a non-genuine mirror server located in China became popular ...

This is an app that has been found to have been distributed on the App Store after being infected with the malware 'Xcode Ghost' that extracts personal information.

By Ciro Urdaneta

Trend Micro reports that a malware called 'XCSSET' will be prevalent among Xcode projects in 2020 as well.

Mac malware 'XCSSET' that spreads via Xcode project is now available --GIGAZINE

in Security, Posted by darkhorse_log