A new backdoor threat has been discovered that aims to compromise Apple developers’ Macs with a trojanized Xcode project. This malware can record victims’ microphone, camera, keyboard, and also upload/download files. The first in the wild example of the threat was found within a US organization.
The new malicious Xcode project was discovered by Sentinel Labs (via Ars Technica). The researchers have named the threat “XcodeSpy” which is a custom build of the EggShell backdoor to compromise macOS.
The trojanized code hides as a maclious replica of a legitimate open-source Xcode project and works by exploiting the Run Script feature in the Xcode IDE. Sentinel Labs explains:
We recently became aware of a trojanized Xcode project in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate, open-source project available on GitHub. The project offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.
The XcodeSpy version, however, has been subtly changed to execute an obfuscated Run Script when the developer’s build target is launched. The script contacts the attackers’ C2 and drops a custom variant of the EggShell backdoor on the development machine. The malware installs a user LaunchAgent for persistence and is able to record information from the victim’s microphone, camera, and keyboard.
The researchers at Sentinel Labs have found two variants of the payload and so far have seen one in the wild case within a US organization. They believe the malware campaign may have run from July to October 2020 and say the extent of the spread is unknown for now but further XcodeSpy projects could be in the wild.
We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.
While XcodeSpy could have been used as a targeted attack on a small group of Apple developers, Sentinel Labs recommends all Apple developers check for and mitigate malicious code. You can find the step-by-step directions on how to do that here (under the Detection and Mitigation section).
Check out the full technical details of XcodeSpy in the full report.