Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:55 PM
Connect Directly

New Malware Hidden in Apple IDE Targets macOS Developers

XcodeSpy is latest example of growing attacks on software supply chain.

Researchers from SentinelOne have discovered new malware targeting developers of macOS apps in the latest sign of growing attacker interest in the software supply chain.

The malware, XcodeSpy, is disguised as a legitimate Xcode open source project called TabBarInteraction that provides macOS developers with code for animating the iOS Tab Bar based on user interaction.

Related Content:

'Next-Gen' Supply Chain Attacks Surge 430%

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

"Xcode is an Integrated Development Environment [IDE] provided by Apple for developers to create software applications for all of Apple's platforms," says Philip Stokes, threat researcher at SentinelOne.

It is free to download and use and is chiefly used by developers to create apps for iPhone, iPad apps, and the Mac, he says.

XcodeSpy installs a variant of the EggShell backdoor on an Apple developer's macOS system. The backdoor is designed to spy on the developer and has features for recording the victim's camera, microphone, and keyboard activity. It also has the ability to download and upload files and to remain persistent on an infected system.

The malware is executed when a developer using the Trojanized version of the TabBarInteraction Xcode project launches what is known as the build target in Xcode. The XcodeSpy malware contacts the attacker's command-and-control (C2) server and drops the EggShell backdoor on the development machine, SentinelOne said in a report this week.

"An Xcode project is a repository for all the files, resources, and information required to build one or more software products," Stokes says. "A project contains all the elements used to build a product and maintain the relationships between those elements."

Injecting malware into an Xcode project gives attackers a way to target developers and potentially backdoor the developer's apps and the customers of those apps, he says. With XcodeSpy itself, though, the attackers appear to be only directly targeting the developers themselves, according to SentinelOne.

The security vendor said a sample of XcodeSpy was found on a US-based victim's Mac in late 2020. The company's report did not disclose the identity of the victim but described the organization as a frequent target of North Korean advanced persistent threat actors.

SentinelOne said it's possible that XcodeSpy may have been targeted at a specific developer or group of developers. Or it is also possible that attackers are using the malware to collect information that can be launched in future attacks or to harvest AppleID credentials for the same purpose. The security vendor said so far it has not been able to find any other instances of doctored Xcode projects. But available telemetry suggests that other XcodeSpy projects exist, and developers need to be on the lookout.

Stokes says the malicious code is relatively easy to spot if developers know how to look for it. But the attackers have obfuscated the malware enough that it can evade detection by casual inspection, especially when new or inexperienced developers are using the doctored Xcode project.

"The simple technique for hiding and launching a malicious script used by XcodeSpy could be deployed in any shared Xcode project," SentinelOne said in its report. "Consequently, all Apple developers are cautioned to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects."

The malware is the latest example of attackers targeting the software supply chain and trusted technology partners, in general, to try and get at their customers. The SolarWinds breach disclosed last December has emerged as one of the most visible examples of how attackers can compromise a large number of organizations simultaneously by planting a backdoor in software from a vendor that all of them use.

Earlier this year, Google's threat analysis group disclosed a wide-ranging North Korean threat campaign targeting security researchers working on vulnerability research at multiple organizations. Part of the campaign involved the threat actors tricking security researchers into working with a Visual Studio project that contained hidden malware.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/22/2021 | 9:46:09 AM
Only use signed source code from developers you can identify
Don't eat candy from strangers, and don't use source code from strangers. If the code isn't signed using a traceable cert in a repository such as GitHub, you have no idean where its been. Note that this isn't the same thing as binary code signing.

Source code itself can not be code signed in a meaningful way for macOS. Source files and code can be digitally signed, as any other file can be, but this makes no impact on how the resulting application or binary is treated by macOS. Signed source code only tells you the identity of the author, so you can reach them in the future and hold them accountable for malicious activities. This means they must use a meaningful, traceable, public certificate. It's not perfect, but apparently with this instance the corrupted source code is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. 

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.