Researchers from SentinelOne have discovered the XcodeSpy malware that spreads through trojanized Xcode projects and is designed to attack iOS developers.
XcodeSpy contains a malicious Run Script that has been integrated into a copy of a legitimate Xcode project called TabBarInteraction. The Legitimate Project offers iOS developers several advanced features to animate the iOS tab bar based on user interaction.
The XcodeSpy infestation vector can be exploited by other attackers, and all Apple developers using Xcode are advised to exercise caution when accepting shared Xcode projects.
This script runs every time an Xcode project is built, setting up a LaunchAgent for a stable presence on the system, and then loading a second payload – a backdoor for macOS called EggShell.
Although the XcodeSpy server infrastructure that controlled LaunchAgent did not work, the researchers write that they were able to find multiple instances of the EggShell backdoor loaded on VirusTotal. Both were uploaded to VirusTotal from Japan, the first on August 5th, and the second on October 13th last year.
“This backdoor has the ability to record from the victim’s microphone, camera and keyboard, as well as the ability to upload and download files”, — says the SentinelOne report.
SentinelOne experts learned about this malware on a tip from an anonymous researcher who discovered the EggShell backdoor on an unnamed company in the United States. According to the researchers, the victims of one of the attacks said that they were repeatedly targeted by North Korean hack groups, although the EggShell infection still could not be associated with any specific state.
Apparently, the attackers behind this campaign were active between July and October 2020 and seem to be primarily interested in developers from Asia.
“We are publishing this report hoping to raise awareness in the cyber community and in the hope of gathering more information. Given the limited data we currently have, so far we cannot draw any conclusions about the attackers”, — the experts write.
SentinelOne analysts have attached a simple command to their report that can help developers identify traces of malicious XcodeSpy script activity in their projects:
find. -name “project.pbxproj” -print0 | xargs -0 awk ‘/shellScript/&&/eval/{print”\033[37m”$0″\033[31m” FILENAME}’
Let me remind you that I also talked about Silver Sparrow malware that infected about 30,000 Mac computers.