A new backdoor threat has been discovered aimed at compromising Apple developers’ Macs with a Trojanized Xcode project. This malware can record the microphone, camera, keyboard and the files of victims. The first in the wild example of the threat was found in an American organization.
The new malicious Xcode project was discovered by Sentinel Labs (via Ars Technica). The researchers called the threat ‘XcodeSpy’, which is the use of the EggShell backdoor to compromise MacOS.
The Trojan code hides as a large replica of a legitimate open source Xcode project and works by utilizing the Run Script function in the Xcode IDE. Sentinel Labs explains:
We are recently aware of a Trojan-based Xcode project in nature aimed at iOS developers, thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate open source project available on GitHub. The project offers iOS developers several advanced features for animating the iOS tab based on user interaction.
However, the XcodeSpy version has been subtly changed to execute an obscured Run Script when the developer’s target is launched. The script contacts the attackers’ C2 and drops a custom variant of the EggShell backdoor onto the development machine. The malware installs a user LaunchAgent for persistence and can record information from the victim’s microphone, camera and keyboard.
Sentinel Labs researchers have found two variants of the payload and so far seen one in the wild in an American organization. They believe the malware campaign may have run from July to October 2020, saying the extent of the spread is unknown at first, but further XcodeSpy projects may be in the wild.
We have so far been unable to discover other examples of Trojanized Xcode projects and cannot determine the extent of this activity. However, the timeline of known samples and other indicators mentioned below suggests that other XcodeSpy projects may exist. By sharing the details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are valuable targets for attackers.
While XcodeSpy could be used as a targeted attack on a small group of Apple developers, Sentinel Labs recommends that all Apple developers investigate and mitigate malicious code. You can find the step-by-step instructions on how to do this here (under the Detection and Mitigation section).
See the full technical details of XcodeSpy in the full report.
FTC: We use revenue to earn automatically affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: