Security Researchers Discover XcodeSpy Malware That Targets Developers

[MacRumors]

Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).

Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a legitimate open source project.

Developers who download the XcodeSpy project think they're getting TabBarInteraction, but the malware includes a hidden "run Script" executable that downloads and installs the EggShell open source back door that's able to spy on users through the microphone, camera, and keyboard as well as upload and download files.

Two variants of the custom EggShell attack were found to be uploaded in Japan, first in August and then in October, so this is an attack that's been out in the wild for some time.

We have thus far been unable to discover other samples of trojanized Xcode projects and cannot gauge the extent of this activity. However, the timeline from known samples and other indicators mentioned below suggest that other XcodeSpy projects may exist. By sharing details of this campaign, we hope to raise awareness of this attack vector and highlight the fact that developers are high-value targets for attackers.

SentinelOne says that all Apple Developers that use Xcode should exercise caution when using shared Xcode projects.

Article Link: Security Researchers Discover XcodeSpy Malware That Targets Developers

 

[bsamcash]

Why is it being called a Trojan when it has to be actively installed?

Edit: I'm an idiot. I misunderstood and didn't realize the malware was hidden. I thought individuals were purposefully installing it.

 

[I7guy]

Comes under the heading, be very careful about what you download.

 

[jonnysods]

Get ready for lots of Justin Long Intel videos about this next week.

 

[hot-gril]

Why is it being called a Trojan when it has to be actively installed?

Cause that's what trojans are.

 

[hot-gril]

Comes under the heading, be very careful about what you download.

Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.

 

[Unsupported]

Why is it being called a Trojan when it has to be actively installed?

What is a Trojan horse and what damage can it do?

There are many different types of harmful Trojan horses on the Internet. An overview of the best-known Trojan horses, and how you can protect yourself.

usa.kaspersky.com

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system. These actions can include:

•Deleting data
•Blocking data
•Modifying data
•Copying data
•Disrupting the performance of computers or computer networks

Modifying data?

So it could infect the project that the developer is working on?

Nasty!

 

[Apple_Robert]

I wonder if Malwarebytes can detect that Malware.

 

[bobbie424242]

Laughing on my Linux developer laptop.

 

[Apple_Robert]

Laughing on my Linux developer laptop.

What is so funny? It's not like Linux hasn't had Malware problems.

 

[macsareveryinteresting]

I wonder if Malwarebytes can detect that Malware.

It probably can

 

[TETENAL]

Why is it being called a Trojan when it has to be actively installed?

Because that's the definition of a Trojan.

 

[sdf]

Laughing on my Linux developer laptop.

Exact same problem.

 

[devman]

Laughing on my Linux developer laptop.

wtf. More like laughing at yourself in the mirror...

 

[amartinez1660]

Xcode does warn you when opening an xcodeproj downloaded from the Internet, but given how frequently you legitimately have to open and build random projects, I wish there were better sandboxing. The "run script" phase runs arbitrary code, ofc necessary when building many things but also an attack vector.

Edit: And even if you're not manually opening/building projects, you're probably using Cocoapods, which is. Of course other dev platforms have similar risks.

I don’t know too much about this since I don’t program directly in xcode. You mean like importing a cocoa pods library could come with something that had the malware run the install script anyways? The spreading must be going at crazy rates actually.

Could something like “brew install xxxxx” also spread it?

 

[Suckfest 9001]

I have many computers of all types in the house, Mac and Windows. Only virus I ever gotten was on my Mac.

Turns out it was security by obscurity after all.

 

[hot-gril]

I don’t know too much about this since I don’t program directly in xcode. You mean like importing a cocoa pods library could come with something that had the malware run the install script anyways? The spreading must be going at crazy rates actually.

Could something like “brew install xxxxx” also spread it?

Not 100% sure about Cocoapods supporting build scripts until I try it myself, but I'd be very surprised if it didn't. Someone please correct me if I'm wrong.

`brew install`, yep. I mean you're running arbitrary code with user-level permissions and no sandboxing. Nothing guarantees that it does what the label says. The default package lists are somewhat curated to avoid malware, but you can `brew tap` whatever you want. This is part of why Homebrew refuses to run as root, but I disagree with that choice, and so do other package managers.

 

[RandomDSdevel]

hot-grill: Homebrew does utilize sandboxing, actually.