New Malware Hidden in Apple IDE Targets macOS Developers

  /     /     /  
Publicated : 23/11/2024   Category : security


New Malware Hidden in Apple IDE Targets macOS Developers


XcodeSpy is latest example of growing attacks on software supply chain.



Researchers from SentinelOne have discovered new malware targeting developers of macOS apps in the latest sign of growing attacker interest in the software supply chain.
The malware, XcodeSpy, is disguised as a legitimate Xcode open source project called TabBarInteraction that provides macOS developers with code for animating the iOS Tab Bar based on user interaction.
Xcode is an Integrated Development Environment [IDE] provided by Apple for developers to create software applications for all of Apples platforms, says Philip Stokes, threat researcher at SentinelOne.
It is free to download and use and is chiefly used by developers to create apps for iPhone, iPad apps, and the Mac, he says.
XcodeSpy installs a variant of the EggShell backdoor on an Apple developers macOS system. The backdoor is designed to spy on the developer and has features for recording the victims camera, microphone, and keyboard activity. It also has the ability to download and upload files and to remain persistent on an infected system.
The malware is executed when a developer using the Trojanized version of the TabBarInteraction Xcode project launches what is known as the build target in Xcode. The XcodeSpy malware contacts the attackers command-and-control (C2) server and drops the EggShell backdoor on the development machine, SentinelOne said in a
report
this week.
An Xcode project is a repository for all the files, resources, and information required to build one or more software products, Stokes says. A project contains all the elements used to build a product and maintain the relationships between those elements.
Injecting malware into an Xcode project gives attackers a way to target developers and potentially backdoor the developers apps and the customers of those apps, he says. With XcodeSpy itself, though, the attackers appear to be only directly targeting the developers themselves, according to SentinelOne.
The security vendor said a sample of XcodeSpy was found on a US-based victims Mac in late 2020. The companys report did not disclose the identity of the victim but described the organization as a frequent target of North Korean advanced persistent threat actors.
SentinelOne said its possible that XcodeSpy may have been targeted at a specific developer or group of developers. Or it is also possible that attackers are using the malware to collect information that can be launched in future attacks or to harvest AppleID credentials for the same purpose. The security vendor said so far it has not been able to find any other instances of doctored Xcode projects. But available telemetry suggests that other XcodeSpy projects exist, and developers need to be on the lookout.
Stokes says the malicious code is relatively easy to spot if developers know how to look for it. But the attackers have obfuscated the malware enough that it can evade detection by casual inspection, especially when new or inexperienced developers are using the doctored Xcode project.
The simple technique for hiding and launching a malicious script used by XcodeSpy could be deployed in any shared Xcode project, SentinelOne said in its report. Consequently, all Apple developers are cautioned to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects.
The malware is the latest example of attackers targeting the software supply chain and trusted technology partners, in general, to try and get at their customers. The SolarWinds breach disclosed last December has emerged as one of the most visible examples of how attackers can compromise a large number of organizations simultaneously by planting a backdoor in software from a vendor that all of them use.
Earlier this year, Googles threat analysis group
disclosed a wide-ranging North Korean threat campaign
targeting security researchers working on vulnerability research at multiple organizations. Part of the campaign involved the threat actors tricking security researchers into working with a Visual Studio project that contained hidden malware.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Malware Hidden in Apple IDE Targets macOS Developers