Developers for Apple’s platforms are being hacked through importing shared Xcode projects infected with malware.
Researchers from SentinelOne detailed the growing trend after discovering a macOS malware dubbed XcodeSpy.
“Threat actors are abusing the Run Script feature in Apple’s Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects,” the researchers explained.
“XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism.”
Apple’s Xcode IDE (Integrated Development Environment) is used to develop iOS, macOS, iPadOS, watchOS, and tvOS. Any developer importing shared projects could find their devices infected with a trojan.
The XcodeSpy project installs a variant of the EggShell backdoor using an obfuscated Run script:
EggShell can record the victim’s webcam, microphone, and keyboard strokes.
SentinelOne has, so far, found two variants of the EggShell backdoor installed by XcodeSpy which contain a number of encrypted C2 URLs and encrypted strings for various file paths. An encrypted string – shared between the doctored Xcode project and the custom backdoors – link them as belonging to the same XcodeSpy campaign.
Google discovered a similar attack vector back in January when a North Korea-linked campaign was found to be targeting security researchers and exploit developers by sharing a Visual Studio project designed to load a malicious DLL.
So, whether you’re a Mac or Windows-based developer, be careful what projects you’re importing.
(Photo by Lukas Hellebrand on Unsplash)
