A new type of macOS malware named XcodeSpy has been uncovered by security researchers. It has been used in the wild to attack iOS software developers through trojanized Xcode projects.
The malware consists of a malicious Run Script that was added to a legitimate Xcode project named TabBarInteraction.
SentinelOne, a security firm, analyzed the malware in a report published today, said the malicious script ran every time the Xcode project was built, installing a LaunchAgent for reboot persistence and then downloading a second payload, a macOS backdoor named EggShell. Phil Stokes, macOS malware researcher at SentinelOne said:
“The backdoor has functionality for recording the victim’s microphone, camera and keyboard, as well as the ability to upload and download files.”
While the XcodeSpy server infrastructure was down, Stokes said they were able to discover several instances of the EggShell backdoor uploaded on the VirusTotal web-based malware scanner. Stokes said SentinelOne first learned of this malware following a tip from an anonymous researcher, who found an instance of the EggShell backdoor on the network of a US-based company.
“The victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities. Part of our motivation for publishing this now is to raise awareness in the cyber community in the hope of gathering more intelligence. Given the limited data we have at present, we can’t make any conclusions about the threat actor.”
Based on the available evidence SentinelOne had gathered during its investigation, the company thinks the threat actor behind this campaign was active between July and October 2020 and may have primarily targeted developers located in Asia. Other details remain unknown.
The SentinelOne team has also made available a simple terminal command that can help macOS software devs find traces of malicious XcodeSpy Run Scripts in their projects.
The XcodeSpy campaign is a continuation of a trend in recent years, with threat actors often using boobytrapped Xcode projects to attack iOS and macOS developers.