Mac Users Targeted by Spyware Spreading via Xcode Projects

Xcode consists of a suite of free, open software development tools developed by Apple for creating software for macOS, iOS, iPadOS, watchOS and tvOS.

The researchers were able to trace an infected projects Xcode work data files and found a hidden folder containing Mach-O, located in one of the .xcodeproj files.

When executed, the Mach-O malware connects to a hardcoded command-and-control server address, and begins to take screenshots of the current desktop at the rate of once a minute; once a new screenshot is taken, the previous one is deleted, the analysis noted.

However, Mach-Os main purpose is to download and run the second-stage payload, an AppleScript file called main.scpt, which carries out most of the malicious behavior.

The research noted that when the Main payload is executed, it first harvests basic system information of the infected user, then kills certain running processes if present, including various browsers as well as com.apple.core, com.oracle.java and others.

Researchers detailed that it then replaces the apps corresponding icon file and Info.plist to make the fake app look like a real, normal app and thus, users go to open the normal app, the malicious one opens instead.

According to the analysis, when opened, the fake app packages malicious capabilities are then executed, in the form of deploying a raft of modules used for various goals: Taking over browsers; stealing information from installed apps including Evernote, Skype and Telegram; and spreading to other hosts.

The attackers can then manipulate browser results; manipulate and replace found Bitcoin and other cryptocurrency addresses; replace a Chrome download link with a link to an old version package; steal Google, Yandex, Amocrm, SIPmarket, PayPal and Apple ID credentials; steal credit-card data linked in the Apple Store; prevent the user from changing passwords and also record new passwords; and take screenshots of certain accessed sites.