If you don’t spend much time in the Apple ecosystem, you may not realize that Xcode is a completely legitimate tool used in macOS for developing a wide range of software and applications.
Recently, based on research conducted by SentinelLabs, it has come to light that hackers are abusing Xcode via malware that has been dubbed XcodeSpy. It is being used to deploy the EggShell backdoor.
The SentinelLabs researchers discovered the malicious code attacked to a legitimate project on GitHub called “TabBarInteraction,” which does not seem to have been compromised when the XcodeSpy code was bolted on. The hackers quietly modified the run script such that it attaches to a command and control server that the hackers control which is used to install the aforementioned back door. From there, the sky is the limit as far as the hackers are concerned.
The researchers themselves had this to say about their recent discovery:
“While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software. Consequently, all Apple developers are cautioned to check for the presence of malicious Run scripts whenever adopting third-party Xcode projects.”
A short step indeed, and one that makes this particular malware strain doubly worrisome. Whether you’re an Apple developer, or a member of an IT team that works in the Apple product ecosystem, XcodeSpy and the EggShell backdoor are certainly two threats well worth keeping on your radar. At present, there’s only hard evidence of one US firm and a handful of Asian companies that have fallen victim to the XcodeSpy campaign, but that could change at any moment. Stay vigilant. It’s going to be a long year.