Researchers from SentinelOne have discovered new malware targeting developers of macOS apps in the latest sign of growing attacker interest in the software supply chain.
The malware, XcodeSpy, is disguised as a legitimate Xcode open source project called TabBarInteraction that provides macOS developers with code for animating the iOS Tab Bar based on user interaction.
"Xcode is an Integrated Development Environment [IDE] provided by Apple for developers to create software applications for all of Apple's platforms," says Philip Stokes, threat researcher at SentinelOne.
It is free to download and use and is chiefly used by developers to create apps for iPhone, iPad apps, and the Mac, he says.
XcodeSpy installs a variant of the EggShell backdoor on an Apple developer's macOS system. The backdoor is designed to spy on the developer and has features for recording the victim's camera, microphone, and keyboard activity. It also has the ability to download and upload files and to remain persistent on an infected system.
The malware is executed when a developer using the Trojanized version of the TabBarInteraction Xcode project launches what is known as the build target in Xcode. The XcodeSpy malware contacts the attacker's command-and-control (C2) server and drops the EggShell backdoor on the development machine, SentinelOne said in a report this week.
"An Xcode project is a repository for all the files, resources, and information required to build one or more software products," Stokes says. "A project contains all the elements used to build a product and maintain the relationships between those elements."
Injecting malware into an Xcode project gives attackers a way to target developers and potentially backdoor the developer's apps and the customers of those apps, he says. With XcodeSpy itself, though, the attackers appear to be only directly targeting the developers themselves, according to SentinelOne.
The security vendor said a sample of XcodeSpy was found on a US-based victim's Mac in late 2020. The company's report did not disclose the identity of the victim but described the organization as a frequent target of North Korean advanced persistent threat actors.
SentinelOne said it's possible that XcodeSpy may have been targeted at a specific developer or group of developers. Or it is also possible that attackers are using the malware to collect information that can be launched in future attacks or to harvest AppleID credentials for the same purpose. The security vendor said so far it has not been able to find any other instances of doctored Xcode projects. But available telemetry suggests that other XcodeSpy projects exist, and developers need to be on the lookout.
Stokes says the malicious code is relatively easy to spot if developers know how to look for it. But the attackers have obfuscated the malware enough that it can evade detection by casual inspection, especially when new or inexperienced developers are using the doctored Xcode project.
"The simple technique for hiding and launching a malicious script used by XcodeSpy could be deployed in any shared Xcode project," SentinelOne said in its report. "Consequently, all Apple developers are cautioned to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects."
The malware is the latest example of attackers targeting the software supply chain and trusted technology partners, in general, to try and get at their customers. The SolarWinds breach disclosed last December has emerged as one of the most visible examples of how attackers can compromise a large number of organizations simultaneously by planting a backdoor in software from a vendor that all of them use.
Earlier this year, Google's threat analysis group disclosed a wide-ranging North Korean threat campaign targeting security researchers working on vulnerability research at multiple organizations. Part of the campaign involved the threat actors tricking security researchers into working with a Visual Studio project that contained hidden malware.