The researchers said they found a trojanized code library that tries to install advanced surveillance malware on Macs from iOS software developers.
It came in the form of a malicious project that the attacker wrote for Xcode, a developer tool that Apple makes available for free to developers who create applications for iOS or another Apple operating system. The project was a copy of TabBarInteraction, a legitimate open source project that makes it easier for developers to animate iOS tab bars based on user interaction. An Xcode project is a repository for all the files, resources and information needed to build an application.
Walking on egg shells
Along with the legitimate code was an obfuscated script, known as the “Run Script”. The script, which ran whenever the developer version was released, contacted an attacker-controlled server to download and install a customized version of EggShell, an open source back door that spies on users through its microphone, camera and keyboard.
Researchers at SentinelOne, the security company that discovered the trojanized project, called it XcodeSpy. They say they have discovered two variants of the custom EggShell launched by the malicious project. Both were uploaded to VirusTotal using the Japan web interface, the first on August 5 and the second on October 13th.
“The last sample was also found in the jungle in late 2020 on a victim’s Mac in the United States,” SentinelOne researcher Phil Stokes wrote in a blog on Thursday. “For reasons of confidentiality, we are unable to provide further details about the ITW [in the wild] incident. However, the victim reported that they are repeatedly targets of North Korean APT actors and the infection has surfaced as part of their regular threat-hunting activities.
So far, the company’s researchers are aware of only one wild case, from an organization based in the United States. The indications from the SentinelOne analysis suggest that the campaign was “in operation at least between July and October 2020 and could also target developers in Asia”.
Developers under attack
Thursday’s post came two months after researchers at Microsoft and Google said hackers backed by the North Korean government were actively trying to infect the computers of security researchers. To gain the trust of researchers, hackers spent weeks building personas on Twitter and developing working relationships online.
Finally, Twitter’s fake profiles asked researchers to use Internet Explorer to open a web page. Those who took the bait would find that their fully repaired Windows 10 machine installed a malicious service and a backdoor in memory. Microsoft fixed the vulnerability last week.
In addition to using the watering-hole attack, hackers also sent developers a Visual Studio project that supposedly contains the source code for a proof-of-concept exploration. Hidden within the project was custom malware that contacted the attacker’s control server.
Obfuscated malice
Experienced developers have long known the importance of checking for malicious Run Scripts before using a third-party Xcode project. While detecting the scripts is not difficult, XcodeSpy tried to make the job more difficult by coding the script.
SentinelOne
When decoded, it was clear that the script contacted a server in cralev[.]me and sent the mysterious mdbcmd command through a reverse shell integrated into the server.
SentinelOne
The only warning that a developer would receive after running the Xcode project would be something like this:
Patrick Wardle
SentinelOne provides a script that makes it easier for developers to find Run Scripts in their projects. Thursday’s post also provides indicators of commitment to help developers find out if they have been targeted or infected.
A vector of malice
It is not the first time that Xcode has been used in a malware attack. Last August, researchers discovered Xcode projects available online that incorporated exploits for what at the time were Safari’s two zero-day vulnerabilities. As soon as one of the XCSSET projects was opened and built, a TrendMicro analysis found, the malicious code would run on the developers’ Macs.
And in 2015, researchers found 4,000 iOS apps that were infected with XcodeGhost, the name given to an adulterated version of Xcode that circulated mainly in Asia. Applications that were compiled with XcodeGhost can be used by attackers to read and write to the device’s clipboard, open specific URLs and filter data.
In contrast to XcodeGhost, which infected applications, XcodeSpy targeted developers. Given the quality of the installed XcodeSpy surveillance backdoor, it would not be too difficult for attackers to eventually deliver malware to users of the developer’s software.
“There are other scenarios with these high-value victims,” wrote Stokes of SentinelOne. “Attackers may simply be looking for interesting targets and collecting data for future campaigns, or they may be trying to gather AppleID credentials for use in other campaigns that use malware with valid Apple developer code signatures. These suggestions do not exhaust the possibilities, nor are they mutually exclusive. “