Trojanized Xcode Project Slips MacOS Malware to Apple Developers

Cybercriminals are targeting Apple developers with a trojanized Xcode project, which once launched installs a backdoor that has spying and data exfiltration capabilities.

Xcode is comprised of a suite of free, open software development tools developed by Apple for creating software for macOS, iOS, iPadOS, watchOS and tvOS. Thus, any apps built on top of the project automatically include the malicious code.

The malicious Xcode project, which researchers call XcodeSpy, installs a variant of the known EggShell backdoor on the developer’s macOS computer.  This backdoor can record the victim’s microphone, camera and keyboard movements, and can upload and download files.

“The XcodeSpy infection vector could be used by other threat actors, and all Apple Developers using Xcode are advised to exercise caution when adopting shared Xcode projects,” said Phil Stokes, researcher with SentinelLabs on Thursday.

Trojanized Xcode Project

The trojanized Xcode project is a doctored version of a legitimate, open-source project that’s available on GitHub called TabBarInteraction; this project offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction. Of note, the trojanized version is a copy and the legitimate GitHub project (and its developer) is not implicated in any way with the malware operation, researchers stressed.

The doctored version of the project contains an obfuscated malscript in the Build Phases tab. Researchers said, attackers leveraged this tab because it is not expanded by default, making it easier to slip by undetected.

“XcodeSpy takes advantage of a built-in feature of Apple’s IDE which allows developers to run a custom shell script on launching an instance of their target application,” said researchers. “While the technique is easy to identify if looked for, new or inexperienced developers who are not aware of the Run Script feature are particularly at risk since there is no indication in the console or debugger to indicate execution of the malicious script.”

When the developer’s build target is launched, the obfuscated Run script is executed, which contacts the attackers’ command-and-control (C2) server before dropping a custom EggShell backdoor variant.

“The malware installs a user LaunchAgent for persistence and is able to record information from the victim’s microphone, camera, and keyboard,” said researchers.

EggShell Backdoor Variant

Researchers found two variants of the payload: One sample was uploaded to VirusTotal on Aug. 5th and the second on Oct. 13th. The latter sample was also found in the wild in late 2020 on a victim’s Mac in the United States, said researchers.

“For reasons of confidentiality, we are unable to provide further details about the ITW incident,” they said. “However, the victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities.”

Xcode Attack Vector

Attackers have previously utilized Xcode as an initial attack vector to target Apple platform developers. In 2015, attackers appended malicious code (dubbed XcodeGhost) into a number of popular apps and find a loophole in Apple’s code-scanning to slip them into the App Store.

And in August, a campaign was discovered targeting Mac users to spread the XCSSET suite of malware, which has the capability to hijack the Safari web browser and inject various JavaScript payloads. The infections were found propogating via Xcode developer projects.

In this latest attack, researchers said it may be possible that XcodeSpy was targeting particular developers – but they may also be gathering data for future campaigns or attempting to gather AppleID credentials for future use.

“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” said researchers.