Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:55 PM
Connect Directly

New Malware Hidden in Apple IDE Targets macOS Developers

XcodeSpy is latest example of growing attacks on software supply chain.

Researchers from SentinelOne have discovered new malware targeting developers of macOS apps in the latest sign of growing attacker interest in the software supply chain.

The malware, XcodeSpy, is disguised as a legitimate Xcode open source project called TabBarInteraction that provides macOS developers with code for animating the iOS Tab Bar based on user interaction.

Related Content:

'Next-Gen' Supply Chain Attacks Surge 430%

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

"Xcode is an Integrated Development Environment [IDE] provided by Apple for developers to create software applications for all of Apple's platforms," says Philip Stokes, threat researcher at SentinelOne.

It is free to download and use and is chiefly used by developers to create apps for iPhone, iPad apps, and the Mac, he says.

XcodeSpy installs a variant of the EggShell backdoor on an Apple developer's macOS system. The backdoor is designed to spy on the developer and has features for recording the victim's camera, microphone, and keyboard activity. It also has the ability to download and upload files and to remain persistent on an infected system.

The malware is executed when a developer using the Trojanized version of the TabBarInteraction Xcode project launches what is known as the build target in Xcode. The XcodeSpy malware contacts the attacker's command-and-control (C2) server and drops the EggShell backdoor on the development machine, SentinelOne said in a report this week.

"An Xcode project is a repository for all the files, resources, and information required to build one or more software products," Stokes says. "A project contains all the elements used to build a product and maintain the relationships between those elements."

Injecting malware into an Xcode project gives attackers a way to target developers and potentially backdoor the developer's apps and the customers of those apps, he says. With XcodeSpy itself, though, the attackers appear to be only directly targeting the developers themselves, according to SentinelOne.

The security vendor said a sample of XcodeSpy was found on a US-based victim's Mac in late 2020. The company's report did not disclose the identity of the victim but described the organization as a frequent target of North Korean advanced persistent threat actors.

SentinelOne said it's possible that XcodeSpy may have been targeted at a specific developer or group of developers. Or it is also possible that attackers are using the malware to collect information that can be launched in future attacks or to harvest AppleID credentials for the same purpose. The security vendor said so far it has not been able to find any other instances of doctored Xcode projects. But available telemetry suggests that other XcodeSpy projects exist, and developers need to be on the lookout.

Stokes says the malicious code is relatively easy to spot if developers know how to look for it. But the attackers have obfuscated the malware enough that it can evade detection by casual inspection, especially when new or inexperienced developers are using the doctored Xcode project.

"The simple technique for hiding and launching a malicious script used by XcodeSpy could be deployed in any shared Xcode project," SentinelOne said in its report. "Consequently, all Apple developers are cautioned to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects."

The malware is the latest example of attackers targeting the software supply chain and trusted technology partners, in general, to try and get at their customers. The SolarWinds breach disclosed last December has emerged as one of the most visible examples of how attackers can compromise a large number of organizations simultaneously by planting a backdoor in software from a vendor that all of them use.

Earlier this year, Google's threat analysis group disclosed a wide-ranging North Korean threat campaign targeting security researchers working on vulnerability research at multiple organizations. Part of the campaign involved the threat actors tricking security researchers into working with a Visual Studio project that contained hidden malware.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/22/2021 | 9:46:09 AM
Only use signed source code from developers you can identify
Don't eat candy from strangers, and don't use source code from strangers. If the code isn't signed using a traceable cert in a repository such as GitHub, you have no idean where its been. Note that this isn't the same thing as binary code signing.

Source code itself can not be code signed in a meaningful way for macOS. Source files and code can be digitally signed, as any other file can be, but this makes no impact on how the resulting application or binary is treated by macOS. Signed source code only tells you the identity of the author, so you can reach them in the future and hold them accountable for malicious activities. This means they must use a meaningful, traceable, public certificate. It's not perfect, but apparently with this instance the corrupted source code is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. 

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...