Attackers abuse Xcode projects to hijack developer systems and spread macOS malware. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used to develop macOS apps.
SentinelLabs reported the flaw on Thursday. They say attackers exploit the Run Script feature in the IDE in targeted attacks against iOS developers. Cybercriminals share online Trojanized Xcode projects to distribute EggShell backdoors to unsuspecting developers.
XcodeSpy infected Xcode projects lure developers with claims about advanced features for animating iOS tab bars.
Once the initial build is downloaded and launched, it installs an EggShell backdoor.
The researchers examined one of the projects which was a ripped version of TabBarInteraction, a legitimate Xcode project.
Attackers tweaked the Run script of the IDE to connect their command-and-control (C2) server to the project. The script then communicates with C2 and downloads a custom variant of the EggShell backdoor. The malware then installs a user LaunchAgent for attackers to maintain persistence. Researchers have detected two variants of EggShell.
According toSentinelLabs, the backdoor can hijack and record the victim’s microphone, camera, and keyboard, and send files to the attacker’s C2.
SentinelLabs says at the moment, one US organization has been attacked by this malware. Developers in Asia may have also been hit between July and October last year.
Samples of the backdoors were uploaded to VirusTotal on August 5 and October 13, however, the researchers suspect the attackers uploaded the sample themselves in order to see detection rates.
“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers said. ll SentinelLabs recommends all Apple developers exercise caution and keep an eye for malicious Run scripts whenever joining third-party Xcode projects.