Categories
Apple Apps Developer Hack Hardware macOS Malware News privacy security

“XcodeSpy” malware located in wild, impersonates valid Xcode developer project

If you’re a developer using Xcode, you’ll need to be a little more careful for a while.

A new backdoor piece of malware that aims to compromise Apple developers’ Macs with a trojanized Xcode project. This malware can record victims’ microphone, camera, keyboard, and also upload/download files. The first in the wild example of the threat was found within a US organization.

The Xcode project was discovered by Sentinel Labs, which has named the threat “XcodeSpy,” and has stated that it functions as a custom build of the EggShell backdoor to compromise macOS.

The project’s code can hide as a malicious replica of a legitimate open-source Xcode project and functions by utilizing the Run Script feature found in the Xcode IDE.

Sentinel Labs offered the following explanation:

We recently became aware of a trojanized Xcode project in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate, open-source project available on GitHub. The project offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.

The XcodeSpy version, however, has been subtly changed to execute an obfuscated Run Script when the developer’s build target is launched. The script contacts the attackers’ C2 and drops a custom variant of the EggShell backdoor on the development machine. The malware installs a user LaunchAgent for persistence and is able to record information from the victim’s microphone, camera, and keyboard.

Sentinel Labs’ researchers have located two variants of the payload, and have so far seen one wild case within a U.S. organization. The group believes the malware could have run from July to October 2020 and say the extent of the malware’s spread could be unknown, as additional XcodeSpy projects could be in the wild:

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

Sentinel Labs has recommended that all Apple developers check for and mitigate malicious code.

Stay tuned for additional details as they become available.

Via 9to5Mac, Ars Technica, and labs.sentinelone.com