A new backdoor threat has been discovered and aims to compromise Macs from Apple developers with a trojanized Xcode project. This malware can record the victims’ microphone, camera, keyboard and also upload / download files. The first wild example of the threat was found within a United States organization.
The new malicious Xcode project was discovered by Sentinel Labs (via Ars Technica). The researchers called the threat “XcodeSpy”, which is a customized version of EggShell’s backdoor to compromise macOS.
The trojanized code hides itself as a maclious replica of a legitimate open source Xcode project and works by exploiting the Run Script feature in the Xcode IDE. Sentinel Labs explains:
We recently learned about a trojanized Xcode project in development aimed at iOS developers thanks to a tip from an anonymous researcher. The malicious project is a tampered version of a legitimate open source project available on GitHub. The project offers iOS developers several advanced features to animate the iOS tab bar based on user interaction.
The XcodeSpy version, however, has been subtly changed to run an obfuscated Run Script when the developer’s build target is started. The script contacts the attackers’ C2 and discards a custom variant of the EggShell backdoor on the development machine. The malware installs a user’s LaunchAgent for persistence and is able to record information from the victim’s microphone, camera and keyboard.
The Sentinel Labs researchers have discovered two variants of the payload and, so far, have seen one in the wild within a United States organization. They believe the malware campaign may have taken place from July to October 2020 and say the extent of the spread is unknown for the time being, but other XcodeSpy projects may be on the loose.
So far, we have not been able to discover other samples of trojanized Xcode projects and we cannot measure the extent of this activity. However, the timeline of known samples and other indicators mentioned below suggests that other XcodeSpy projects may exist. By sharing the details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.
Although XcodeSpy may have been used as an attack targeting a small group of Apple developers, Sentinel Labs recommends that all Apple developers scan and mitigate malicious code. You can find step-by-step instructions on how to do this here (in the Detection and Mitigation section).
Check out the full technical details of XcodeSpy in the full report.
FTC: We use affiliate links for automobiles that generate revenue. Most.
Check out 9to5Mac on YouTube for more news from Apple: