“We recently became aware of a trojanized Xcode project in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate, open-source project available on GitHub,” SentinelOne researchers have warned.
The trojanized Xcode project in question is TabBarInteraction, which offers iOS developers features for animating the iOS Tab Bar based on user interaction – though the researchers have been quick to note that the code in the Github project is currently clean, and that the developer is not implicated in any way with the malware operation.
The trojanized version of the project – dubbed XcodeSpy by the researchers – executes an obfuscated Run Script when the developer’s build target is launched. The script contacts a C&C server and downloads a custom variant of the EggShell backdoor, which installs a user LaunchAgent for persistence, and allows the attacker to record information from the victim’s microphone, camera, and keyboard.
The trojanized project was found late last year at a U.S. organization, which says that they are repeatedly targeted by North Korean APT actors and that they discovered the infection while performing threat hunting. Before that, two samples of the EggShell backdoor were uploaded to VirusTotal from Japan.
“The EggShell backdoor variants were each first seen on VirusTotal some two months apart (5th August and 13th October). If the backdoors were uploaded by victims rather than the attackers (an assumption that is by no means secure), that would indicate that the first custom EggShell binary may have been a payload for an earlier XcodeSpy sample. However, we cannot assign great confidence to these speculations based on the available data,” the researchers added.
Detection and mitigation
It is unknown whether the attacker targeted just one specific developer or many, but the researchers say that they believe other XcodeSpy projects may exist, so they provided IoCs, urged all Apple app developers to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects, and explained how to do it.
“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” they added.
“It is entirely possible that XcodeSpy may have been targeted at a particular developer or group of developers, but there are other potential scenarios with such high-value victims. Attackers could simply be trawling for interesting targets and gathering data for future campaigns, or they could be attempting to gather AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures. These suggestions do not exhaust the possibilities, nor are they mutually exclusive.”
Threat actors targeted software developers in the past: in 2015, Palo Alto Networks researchers discovered a maliciously modified versions of the Xcode framework that they dubbed XcodeGhost, which was used to trojanize a huge number of iOS apps, and in early 2021, the Google Threat Analysis Group (TAG) threw light on a campaign aimed at backdooring the computer systems of a number of security researchers and developers via a Visual Studio project designed to load a malicious DLL.