Researchers say they have found a trojanized code library in the wild that tries to install advanced malware on the Macs of iOS software developers.
It comes in the form of a malicious project that the attacker wrote for Xcode, a development tool that Apple makes freely available for developers building applications for iOS or other Apple OS. The project was a copy of TabBarInteraction, a legitimate open source project that makes it easy for developers to animate iOS tab bars based on user interaction. An Xcode project is a repository for all the files, resources, and information needed to build an application.
Walking on eggs
Next to the constitutional code is a blank manuscript, known as the “Executive Journal.” The script, which runs whenever the developer is launched, contacts the managed server to download and install the custom version. Egg Shellan open source backdoor that spies on users through their microphone, camera, and keyboard.
Researchers with SentinelOne, the security company that discovered the trojanized project, named it XcodeSpy. They say they have discovered two variants of the customized EggShell dropped by the project. Both were uploaded to VirusTotal using a web interface from Japan, the first on August 5 and the second on October 13.
“A later version was also found in the wild in late 2020 on a victim’s Mac in the United States,” SentinelOne researcher Phil Stokes wrote in blog post Thursday. “For reasons of confidentiality, we are unable to provide further details about the ITW incident (in the wild). However, the victim reported that they were repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities.”
So far, industry researchers know of only one case in the wild, from a US-based organization. Indications from SentinelOne’s analysis suggest that the campaign “is running at least between July and October 2020 and may also have targeted developments in Asia.”
Researchers under attack
Wednesday’s announcement comes two months after researchers for both Microsoft and Google said hackers backed by the North Korean government were trying to infect security researchers’ computers. To win the trust of investigators, hackers spend weeks learning Twitter personalities and developing working relationships online.
Finally, the fake Twitter profiles asked researchers to use Internet Explorer to open a website. Those who take the bait will find that a fully patched Windows 10 machine installs a malicious program and internal memory access. Microsoft deleted the vulnerability last week.
Apart from using a sinkhole attack, the hackers also sent targeted developers to the Visual Studio Project that said it contained source code for proof-of-concept exploits. Included in the project was custom malware that contacted the attackers’ control server.
Experienced developers have long known the importance of checking for malicious scripts before using a third-party Xcode project. While detecting scripts is not hard, XcodeSpy tries to make the job more difficult by encoding the script.
SentinelOne provides a script that makes it easy for developers to find Run Scripts in their projects. Wednesday’s post also provides indicators of vulnerability to help developers know if they’ve been targeted or infected.
A vector for malice
It’s not the first time Xcode has been used in a malware attack. Last August, researchers discovered Xcode projects available online that embedded exploits for what at the time were two zero-day Safari vulnerabilities. Once one of the XCSSET projects is open and built, a TrendMicro analysis see, the malicious code will run on the developers’ Macs.
And in 2015, researchers found 4,000 iOS apps that had been infected by XcodeGhost, the name given to a manipulated version of Xcode that spread widely in Asia. Applications compiled with XcodeGhost can be used by attackers to read and write to the application clipboard, open specific URLs, and export data.
In contrast to XcodeGhost, which infects apps, XcodeSpy targets developers. Given the quality of the XcodeSpy backdoor surveillance installed, it will not be able to spend much for the attackers to eventually deliver malware to the users of the developer’s software as well.
“There are other scenarios with similar high-value casualties,” SentinelOne’s Stokes wrote. “Attackers may simply be tracking for interested targets and collecting data for future campaigns, or they may be attempting to gather AppleID credentials for use in other campaigns that use malware with Apple Developer code signatures useful. These suggestions do not exhaust the possibilities, nor are they exclusive.”