13 with 12 posters participating, including story author
Researchers said they’ve found a trojanized code library in the wild that attempts to install advanced surveillance malware on the Macs of iOS software developers.
It came in the form of a malicious project the attacker wrote for Xcode, a developer tool that Apple makes freely available to developers writing apps for iOS or another Apple OS. The project was a copy of TabBarInteraction, a legitimate open source project that makes it easier for developers to animate iOS tab bars based on user interaction. An Xcode project is a repository for all the files, resources, and information needed to build an app.
Walking on eggshells
Alongside the legitimate code was an obfuscated script, known as a “Run Script.” The script, which got executed whenever the developer build was launched, contacted an attacker-controlled server to download and install a custom version of EggShell, an open source back door that spies on users through their mic, camera and keyboard.
Researchers with SentinelOne, the security firm that discovered the trojanized project, have named it XcodeSpy. They say they’ve uncovered two variants of the customized EggShell dropped by the malicious project. Both were uploaded to VirusTotal using the Web interface from Japan, the first one last August 5, and the second one on the following October 13.
“The later sample was also found in the wild in late 2020 on a victim’s Mac in the United States,” SentinelOne researcher Phil Stokes wrote in a blog post Thursday. “For reasons of confidentiality, we are unable to provide further details about the ITW [in the wild] incident. However, the victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities.”
patched the vulnerability last week.
Besides using the watering-hole attack, the hackers also sent targeted developers a Visual Studio Project purportedly containing source code for a proof-of-concept exploit. Stashed inside the project was custom malware that contacted the attackers’ control server.
Experienced developers have long known the importance of checking for the presence of malicious Run Scripts before using a third-party Xcode project. While detecting the scripts isn’t hard, XcodeSpy attempted to make the job harder by encoding the script.
When decoded, it was clear the script contacted a server at cralev[.]me and sent the mysterious command mdbcmd through a reverse shell built in to the server.
The only warning a developer would get after running the Xcode project would be something that looks like this:
TrendMicro analysis found, the malicious code would run on the developers’ Macs.
And in 2015, researchers found 4,000 iOS apps that had been infected by XcodeGhost, the name given to a tampered version of Xcode that circulated primarily in Asia. Apps that were compiled with XcodeGhost could be used by attackers to read and write to the device clipboard, open specific URLs and exfiltrate data.
In contrast to XcodeGhost, which infected apps, XcodeSpy targeted developers. Given the quality of the surveillance backdoor XcodeSpy installed, it wouldn’t be much of a stretch for the attackers to eventually deliver malware to users of the developer’s software as well.
“There are other scenarios with such high-value victims,” SentinelOne’s Stokes wrote. “Attackers could simply be trawling for interesting targets and gathering data for future campaigns, or they could be attempting to gather AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures. These suggestions do not exhaust the possibilities, nor are they mutually exclusive.”