Cybersecurity researchers unveiled a new attack on Thursday in which threat actors use Xcode as an attack vector to compromise backdoor Apple platform developers, contributing to a growing trend of developers and researchers being attacked with malicious attacks.
The trojanized Xcode project, called “XcodeSpy”, is an infected version of a legitimate, open-source project available on GitHub called TabBarInteraction, which is used by developers to animate iOS tabbars based on user interaction.
“XcodeSpy is a malicious Xcode project that installs a modified variant of the EggShell backdoor on the developer’s macOS computer, along with a persistence mechanism,” said SentinelOne researchers.
Xcode is Apple’s integrated development environment (IDE) for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS.
Earlier this year, Google’s Threat Analysis group discovered a North Korean campaign targeting security researchers and exploit developers, sharing a Visual Studio project designed to load a malicious DLL on Windows systems.
The promoted Xcode project is doing something similar, only this time the attacks have singled out Apple developers.
In addition to the original code, XcodeSpy also includes an obfuscated Run Script that runs when the developer’s build target is launched. The script then contacts an attacker-controlled server to retrieve a modified variant of the EggShell backdoor on the development machine, which comes with capabilities to record information from the microphone, camera, and keyboard of the victim.
“XcodeSpy uses a built-in feature of Apple’s IDE that allows developers to run a custom shell script when launching an instance of their target application,” said the researchers. While the technique is easily identifiable when searched for, new or inexperienced developers who are unaware of the Run Script feature are particularly at risk as there is no indication in the console or debugger to indicate that the malicious script is running. “
SentinelOne said it has identified two variants of the EggShell payload, with the samples uploaded to VirusTotal from Japan on August 5 and October 13 last year. Additional clues point to an unnamed US organization that was reportedly targeted by this campaign between July and October 2020, while other developers in Asia are likely to be targeted as well.
Malicious actors have previously resorted to compromised Xcode executables (aka XCodeGhost) to inject malicious code into iOS apps compiled with the infected Xcode without the developers’ knowledge, and then use the infected apps to extract information from the devices as soon as they are downloaded and installed from the App Store.
Then, in August 2020, researchers at Trend Micro discovered a similar threat spreading through modified Xcode projects, which were configured at build to install a mac malware called XCSSET to steal credentials, take screenshots, sensitive data from create messages and note-taking apps, and even encrypt files for ransom.
Like XCSSET, XcodeSpy takes an easier path as the goal appears to be to attack the developers themselves, although the ultimate goal behind the exploitation and the identity of the group behind it remains unclear.
“Targeting software developers is the first step in a successful supply chain attack. One way to do this is by exploiting the development tools needed to perform this work,” the researchers said.
“It is entirely possible that XcodeSpy is targeting a particular developer or group of developers, but there are other potential scenarios with such valuable victims. Attackers could simply look for interesting targets and collect data for future campaigns, or they could. try to collect AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures. “