Cyber security researchers on Thursday unveiled a new attack in which threatening actors use Xcode as an attack vector to endanger Apple platform developers with a backdoor, contributing to a growing trend involving development and malicious attacks.
The Trojan Xcode project, called ‘XcodeSpy’, is an infected version of a legitimate, open source project available on GitHub called TabBarInteraction, which is used by developers to animate iOS tabs based on user interaction.
“XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s MacOS computer, along with a detention mechanism,” SentinelOne said.
Xcode is Apple’s integrated development environment (IDE) for macOS, which is used to develop software for macOS, iOS, iPadOS, watchOS and tvOS.
Earlier this year, Google’s threat analysis group unveiled a North Korean security-targeted and developer-driven campaign, part of a Visual Studio project designed to load a malicious DLL onto Windows systems.
The doctored Xcode project is doing something similar, but this time the attacks singled out Apple developers.
In addition to the original code, XcodeSpy also includes an obscured Run Script that is executed when the developer’s target is launched. The script then contacts an attacker-controlled server to get a custom variant of the EggShell backdoor on the development machine, which includes features to record information from the victim’s microphone, camera, and keyboard.
“XcodeSpy utilizes a built-in feature of Apple’s IDE that enables developers to execute a custom shell when launching an instance of their target application,” the researchers said. “Although the technique is easy to identify when searched for, new or inexperienced developers who are not aware of the Run Script feature are a particular danger because there is no indication in the console or debugging around the execution of the malicious script. “
SentinelOne said it identifies two variants of the EggShell payload, with the samples loaded from Japan to VirusTotal on August 5 and October 13 last year. Additional clues point to one unnamed U.S. organization targeted between July and October 2020 using this campaign, and other developers in Asia are likely to be targeted as well.
Opponents have previously used them to inject contaminated Xcode executables (also known as XCodeGhost) to inject malicious code into iOS applications that were compiled with the infected Xcode without the developers’ knowledge, and then use the infected applications to collect information from the devices once downloaded and installed from the App Store.
In August 2020, Trend Micro researchers discovered a similar threat spread by modified Xcode projects, which were introduced at the construction site to install a Mac malware called XCSSET to steal references, record screenshots, and sensitive take data from messages and applications. and even encrypt files for a ransom.
But XcodeSpy, on the other hand, takes an easy path, as it seems to be the goal to beat the developers themselves, although the ultimate goal behind the exploitation and the identity of the group behind it is still unclear.
“Targeting software developers is the first step in a successful supply chain attack. One way to do that is to abuse the development tools needed to carry out this work,” the researchers said.
“It’s quite possible that XcodeSpy is targeting a specific developer or group of developers, but there are other possible scenarios with such high-value victims. Attackers can simply drag for interesting targets and collect data for future campaigns, or they may try to collect AppleID credentials for use in other campaigns that use malware with valid Apple Developer Code signatures. “