New dangerous malware variant targeting iOS developers

An unidentified hacking group is using a sophisticated malware for Mac devices in order to attack software developers using the Xcode development environment, integrated into some Apple systems. According to the report submitted by the security firm SentinelOne, this variant of malware, identified as XcodeSpy, seems to work similarly to the backdoor known as EggShell. This malware allows threat actors to spy on users, as well as upload and download files and intercept data from the target system’s camera, microphone and keyboard.

At first the company received the report from an anonymous researcher, although soon after SentinelOnline confirmed the detection of multiple cases of infections in the wild. One of the affected developers even claimed that this attack could be linked to the North Korean government, whose cybercriminal partners frequently attack software developers in the West.

Moreover, XcodeSpy samples uploaded to the VirusTotal cybersecurity platform suggest that this malware could have been used in targeting attacks against developers in Japan. According to SentinelOne, evidence of campaigns involving XcodeSpy samples deployed between July and October 2020 has been found; in at least one of these campaigns, this malware was delivered as a trojanized version of an Xcode open source project, which was offered to some iOS developers.

Researchers also acknowledge that they have not been able to detect other trojanized Xcode projects, although they believe this could become a new cybercriminal trend: “While XcodeSpy seems to be targeting iOS developers specifically, there is only one small step between such attacks and malware delivery to end users.”

It should be noted that this is not the first malware sample that targets directly against Xcode developers. About 5 years ago, a group of cybersecurity specialists detected malware identified as XcodeGhost, which allowed multiple hacking groups to inject malicious code into dozens of applications created by legitimate developers, employing fake versions of Xcode downloaded on unofficial platforms.

A few months ago a group of experts detected a variant of malware for Mac devices called XCSSET, which spread through code injected into Xcode projects and ran its payload when the project was built. XCSSET allows its operators to launch ransomware attacks and steal data from victims.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.