Xcode malicious projects are used to hijack developer systems and distribute EggShell custom backdoors.
The malware, called XcodeSpy, is targeted by Xcode, an integrated development platform (IDE) used in macOS for Apple’s software development.
According to a study published by Sentinel Labs on Thursday, the Run Script feature in IDE is used in attacks targeted at iOS developers in the form of Trojanized Xcode projects freely distributed online.
Official, open Xcode projects can be found on GitHub. However, in this case, XcodeSpy projects provide “advanced features” to slash the iOS tab bars – and once the original build has been downloaded and set up, the malicious text is processed to install the EggShell backdoor.
A malicious project investigated by investigators is a ripped version of TabBarInteraction, an official project that has not been compromised.
Run ID script is interrupted silently to connect the control and control (C2) server to the developer project.
Apple’s IDE functionality that allows Shell’s custom text to send when the app model is launched is a matter of abuse.
C2 then interacts with the script to download and download unique customizations outside EggShell, which includes user LaunchAgent persistence.
Two versions of EggShell have been discovered – one of which shares a cord encrypted with XcodeSpy.
The backdoor can hijack the victim’s developer microphone, camera, and keyboard, and capture and send files to the attacker’s C2.
SentinelLabs says at least one US organization has been caught in such an attack and Asian developers are likely to be defeated in the campaign, which operated at least between July and October last year.
Back-up samples were uploaded to VirusTotal on August 5 and October 13. XcodeSpy began uploading on September 4, however, researchers suspect the attacker may have downloaded the sample himself to test the detection rates.
“While XcodeSpy seems to be targeted at developers themselves rather than products or developers’ clients, it is a short step away from redirecting the developer’s workplace to deliver malware to users of that developer’s software,” the researchers said. “As a result, all Apple developers are cautioned to check for any serious Run scripts whenever Xcode projects from third parties are approved.”
Back in August, Trend Micro tracked XCSSET malware on Xcode projects, which are thought to have spread to compromise Safari browser sessions on sensitive identity theft, cross-site scripting (XSS), and theft of developer data.
The team said the discovery eventually led to “a rabbit hole for malicious payloads.”