XcodeSpy: Trojanized Xcode Project Targeting iOS Developers
Sentinel Labs researchers recently became aware of a trojanized Xcode project targeting iOS devs. The project is a malicious version of a legitimate, open-source project available on GitHub, enabling iOS programmers to use several advanced features for animating the iOS Tab bar.
According to Sentinel Labs report, XcodeSpy has been changed to execute an obfuscated Run Script once the developer’s build target is launched. The script’s purpose is to contact the attackers’ command-and-control server, and drop a custom variant of the EggShell backdoor on the machine. To achieve persistence on the infected host, the malware installs a user Launch Agent. The malware can also record information from the microphone, camera, and keyboard.
“The XcodeSpy infection vector could be used by other threat actors, and all Apple Developers using Xcode are advised to exercise caution when adopting shared Xcode projects,” the researchers warned in their report.
Two variants of the payload discovered
The researchers discovered two variants of the backdoor payload, both containing a number of encrypted command-and-control URLs and encrypted strings for various file paths. “One encrypted string in particular is shared between the doctored Xcode project and the custom backdoors, linking them together as part of the same ‘XcodeSpy’ campaign,” Sentinel Labs said.
Furthermore, the XcodeSpy malware can abuse a built-in feature of Apple’s IDE allowing developers to run a custom shell script. The technique can be identified easily; however, inexperienced developers may not be aware of the Run Script feature putting them at risk to execute the malicious script.
At least one US organization has been targeted by these attacks. Apple developers in Asia may also be at risk.
Samples of the backdoors were uploaded to VirusTotal on August 5 and October 13 last year, while the XcodeSpy malware was first uploaded on September 4. Sentinal Labs, however, believe that the attackers may have uploaded the samples to test detection rates.
In 2019, a the XcodeGhost malware was detected in the wild. It also was a modified version of a real development environment, designed to appear just like the real program without giving out any signs that it was a dangerous strain.