Apple developers targeted by new malware, EggShell backdoor

macOS malware is being spread via compromised Xcode projects.
Written by Charlie Osborne, Contributing Writer

Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors. 

The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications.

According to research published by SentinelLabs on Thursday, the Run Script feature in the IDE is being exploited in targeted attacks against iOS developers by way of Trojanized Xcode projects freely shared online. 

Legitimate, open source Xcode projects can be found on GitHub. However, in this case, XcodeSpy projects are offering "advanced features" for animating iOS tab bars -- and once the initial build is downloaded and launched, a malicious script is deployed to install the EggShell backdoor. 

The malicious project explored by the researchers is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. 

The Run script of the IDE has been quietly tampered with to connect an attacker's command-and-control (C2) server to a developer's project. In particular, Apple's IDE functionality that allows custom shell scripts to deploy on launching an instance of an app is the subject of abuse. 

The C2 is then contacted by the script to pull and download a custom variant of the EggShell backdoor, which installs a user LaunchAgent for persistence.

Two variants of EggShell have been detected -- and one of which shares an encrypted string with XcodeSpy. 

The backdoor is able to hijack the victim developer's microphone, camera, and keyboard, as well as grab and send files to the attacker's C2.

SentinelLabs says that at least one US organization has been caught up in attacks of this nature and developers in Asia may have also succumbed to the campaign, which was in operation at least between July and October last year. 

Samples of the backdoors were uploaded to VirusTotal on August 5 and October 13. XcodeSpy was first uploaded on September 4, however, the researchers suspect the attacker may have uploaded the sample themselves in order to test detection rates. 

"While XcodeSpy appears to be directly targeted at the developers themselves rather than developers' products or clients, it's a short step from backdooring a developer's working environment to delivering malware to users of that developer's software," the researchers say. "Consequently, all Apple developers are cautioned to check for the presence of malicious Run scripts whenever adopting third-party Xcode projects." 

Back in August, Trend Micro tracked XCSSET malware in Xcode projects, thought to have been spread to compromise Safari browser sessions for phishing, cross-site scripting (XSS) attacks, and the theft of developer data. 

The team said the discovery ultimately led to a "rabbit hole of malicious payloads."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards