Hello, welcome to the Friday, March 19th, 2021 edition of the Santernut Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm virtually teaching from San Diego, California.

Keyloggers are a standard component of malware and Xavier took a closer look at key loggers implemented in Python,

with Python, of course, being a language that does show up more and more in malware.

Xavier used Varys Total Retrohunt to look for samples that implement keyloggers in Python.

And he found a small number of them a total of nine occurrences only, but many of them

were submitted in the last couple months.

So let me indicate that the bad guys are actually taking notice and are starting to experiment

more with Python keyloggers.

Well, I'm talking about keyloggers recording the user's keystrokes.

Why not also record sounds with the microphone and images with the camera while you're at.

That is apparently what a new piece of Malver is doing that is targeting Mac developers.

Xcode Spy is what Sentinel One called it in its blog post.

And it is infecting developers' systems if they are trying to install a malicious

module. The legitimate module they are trying to install is called tabbar interaction, but

there is a look-alike project on GitHub that is easily mistaken for this legitimate module.

And the result is that once you are compiling a project with the malicious version of

Tapbar interaction, it takes advantage of a feature of Xcode, the Apple developer environment, that can execute code while it compiles a project,

and this malicious code will then install a backdoor on developers' system.

Of course, it's of your classic supply chain attack.

Once the attacker has a foothold on the developer system,

they now are able to modify and corrupt any software that is being created on that

developer's system as well. This backdoor may go back to September last year.

...