XcodeSpy malware has targeted macOS Xcode developer systems and was recently used to spread custom variant EggShell backdoors.
Xcode contributes to Apple’s integrated development environment (IDE) which is designed to develop software and applications. It was first launched in 2003, the most recent and stable version 12.4 was released on January 26, 2021. The Xcode suite includes majority of Apple’s developer documentation and an Interface Builder.
A recent trend for cybercriminals is to target software developers to initialize a ‘supply chain attack’. Sentinel Labs has indicated the XcodeSpy operation was present in July and October of 2020. New and experienced developers should be warned and pre-screen Run Scripts when using open-source Xcode projects. For ways to scan local Xcode Repositories, click here.
Open-Source Software Exploitive
Cybercriminals are using open-source versions of Xcode, specifically Trojanized Xcode, to attack Apple’s (IDE) by way of the Run Script feature. Once compromised the Run script of the (IDE) connects an attacker’s command-and-control server, giving them access to the developer’s project. The command-and control will later be contacted by the script to download a custom version of the Eggshell backdoor, that includes a user LaunchAgent. Attackers are using previous versions of Xcode projects, which can be found on GitHub.
Under the vail of ‘advanced features’ for animating iOS tab bars, XcodeSpy has created a malicious script held within the initial build. TabBarInteraction was used as a ripped version and has yet to be fully compromised. Once downloaded and launched the malware will be deployed and the EggShell backdoor has been installed. The backdoor has functionality for recording the victim’s microphone, camera, keyboard, and has the ability to upload and download files. To prevent these ‘reverse shells’ from being placed developers need to analyze their build scripts before compilation.
Malware attacks have been heavily infiltrating MacOS and have increased over a thousand percent since 2020. The latest attacks include: ‘Silver Sparrow’ affecting the Apple M1 chip, ‘OSAMiner’ involving mining cryptocurrency and ‘GoSearch22’ which provided a malicious adware extension.
In addition to malware attacks, MacOS also contains numerous vulnerabilities and bugs that require constant monitoring and patches. One attack featuring Webkit browsers was redirecting iOS and MacOS users to malicious websites. Apple users are encouraged to search for stronger security layers in addition to updates as these attacks can be extremely aggressive. For a comprehensive Guide for Mac Anti-Malware Protection, click here.