Researchers reported Thursday that threat actors have abused the Run Script feature in Apple’s Xcode integrated development environment (IDE) to infect Apple developers via shared Xcode projects.
In a blog post, SentinelLabs researchers said the malicious Xcode project – XcodeSpy – installs a custom variant of the EggShell backdoor on the developer’s macOS computer. The backdoor is able to record the victim’s microphone, camera and keyboard entries, plus can upload and download files. The researchers added that other threat actors could use the XcodeSpy infection and that all Apple developers using Xcode should be cautious when adopting shared projects.
According to the researchers, SentinelLabs learned about the trojanized Xcode project from an anonymous researcher. They said the malicious project functions as a doctored version of a legitimate, open-source project – available on GitHub – that offers iOS developers certain advanced features for animating the iOS Tab Bar.
However, the trojanized XcodeSpy version of this project was changed to execute an obfuscated Run Script when the developer’s build target gets launched. The script contacts the attackers’ C2 infrastructure and drops a custom variant of the EggShell backdoor on the development machine. The malware then installs a user LaunchAgent for persistence.
As part of the blog, the researchers offered some broader context, pointing out two ongoing and linked trends that bear watching: The targeting of developers and the use of supply chain attacks to infect large user bases.
“Success begets more success is a theme around the supply chain attacks and targeting to developers,” said Brandon Hoffman, chief information security officer at Netenrich. “This discovery highlights the ever-pressing need for companies to embed security in development operations. Unfortunately, it also highlights a significant need to continuously validate code that’s used and shared by many, especially open-source projects. The security community has been concerned about open-source code for decades and while it has taken some time, the concerns were legitimate. Everybody will have to remain or become exceedingly vigilant with all entry points to their code, products and services they supply.”
Greg Ake, a senior threat researcher at Huntress, added that this attack is a cause for concern because it can lead to a trickle-down infection and compromise of all customers that may use that app, putting them at risk to any number of abuses.
“Consumers need to better understand where their apps and services are coming from and what access they are giving up using these services,” Ake said. “Likewise, software developers need to make use of a defined software development lifecycle. Ensuring security concepts and reviews are included in the development process can assist in reducing this risk. Many apps and software shops are small teams that do not have the skill or budget to afford security. That does not even take into consideration the work required to build it out and maintain it. The incentivization for security needs to be there to ensure supply chain attacks like this do not continue to increase in frequency.”