Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Hackers Used Trojanized Xcode to Target macOS Developers

Supply Chain Attack Hits Development Environment
Hackers Used Trojanized Xcode to Target macOS Developers

Hackers used Trojanized Xcode projects to install backdoors on developers' devices as part of a supply chain attack, security firm Sentinel Labs reports. Xcode is Apple's integrated development environment for macOS.

See Also: Don't Click This Link: Addressing the Human Factor in Cybersecurity

The Trojan, dubbed XcodeSpy, was spread as part of a supply chain attack that attempts to target software developers by hosting the malware in a legitimate Xcode project in GitHub.

When a victim downloaded this Xcode project and executed it, XcodeSpy installed custom variants of an EggShell backdoor on developers' macOS computers. The malware was then able to record the victims' microphone, camera and keyboard and also uploaded and downloaded files.

Apple did not immediately reply to a request for comment.

Sentinel Labs notes that the campaign using the malware was active between July and October 2020, with one attack in the wild reported against an unidentified organization in the U.S. Researchers note the campaign may have also targeted developers in Asia.

Weaponizing Xcode

The XcodeSpy hackers began by infecting a legitimate open-source project found on Github called TabBarInteraction, Sentinel Labs says. This project is used by iOS developers for animating the iOS Tab Bar based on user interaction.

Once the project was downloaded and executed, it exploited the Run Script feature in Xcode to gain access to Apple's integrated development environment.

"When the developer's build target is launched, the script contacts the attackers’ C2 and drops a custom variant of the EggShell backdoor on the development machine," the report notes. "The malware installs a user LaunchAgent for persistence and is able to record information from the victim’s microphone, camera, and keyboard."

In a similar campaign in 2015, hackers used malware called XcodeGhost to target Chinese iOS developers, according to security firm Palo Alto.

Surge in Supply Chain Attacks

The XcodeSpy campaign is the latest example of attacks leveraging a supply chain.

Supply chain risks arise from how software components are developed, integrated, packaged and moved to production, says Rajeev Gupta, co-founder and chief product officer at security firm Cowbell Cyber.

"Poor quality and security practices during the software life cycle can lead to a watershed moment when cybercriminals take advantage of a vulnerability," Gupta says. "Patching, vulnerability management, but also vetting suppliers - including software vendors in your supply chain - is fundamental for effective risk management."

The XcodeSpy campaign "highlights the need for security to be embedded in development operations and high awareness with developers themselves," says Brandon Hoffman, CISO at Netenrich. "Everyone is going to need to remain or become exceedingly vigilant with all entry points to their code, products and services they are supplying.”

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, says that to prevent attacks caused by third-party tools, organizations should move beyond a single layer of protection.

"Remediate vulnerabilities as quickly as possible and double-check that patches are being applied and mitigating actions are being taken," Bar-Dayan says. "Considering the massive growth and scale of digital systems, and the exponential increase of vulnerabilities every year, this isn’t an easy job - but it is possible to succeed. It will certainly be worth the effort."

The biggest recent supply chain hack was the SolarWinds attack, in which hackers installed a backdoor in the company's Orion network monitoring tool (see: White House Preparing 'Executive Action' After SolarWinds Attack).

In another incident this month, Malaysia Airlines, Singapore Airlines, Finnair and Air New Zealand were breached in what appears to be a coordinated supply chain attack (see: Supply Chain Attack Jolts Airlines).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.