New Mac Malware Targets Developers

Security researchers have discovered a new piece of malware capable of compromising systems running macOS. In particular, the malware targets developers who make use of the Xcode projects integrated developer environment (IDE). Typically, developers developing apps for macOS or iOS make use of Xcode to better make use of features unique to those two platforms both developed and maintained by Apple. The malware was discovered by researchers working at Sentinel Labs, with details of the malware being published by the security firm recently.

The malware, named XcodeSpy, abuses the RunScript functionality found within Xcode. The malware is currently being distributed via an open-source Xcode project available on Github. The attackers are looking to take advantage of a community of developers who share tools and applications to better assist other developers. The malicious developer tool discovered by researchers is a ripped and modified version of TabBarInjection, which is a legitimate project that assists developers in creating interactive tab and navigation bars. It is important to note that the legitimate TabBarInjection has not been compromised.

The malicious application containing XcodeSpy advertises itself as an advanced toolset that enables developers to animate iOS tabs. Once the initial build is downloaded and installed a malicious script is run via the RunScript feature. This will install a backdoor through the use of the EggShell backdoor. EggShell has been used by threat actors installing back doors on Mac machines in the past. The backdoor creating malware has been described as a broad spectrum backdoor creating utility by researchers. This makes it a handy tool for threat actors to use in a variety of use cases. Previously it has been used in malware like CoinTicker which could steal cryptocurrency wallet credentials.

new mac malware targets developers

In comparison, XcodeSpy makes use of EggShell to help facilitate the stealing of information. Xcode features the ability to tamper with the RunScript so that it connects with a command-and-control server under the attacker’s control. The malware will then send instructions to the server to fetch and download EggShell. Researchers spotted two customized versions of EggShell being downloaded in campaigns with one containing an encrypted string of XcodeSpy. Lastly, the malware will send an instruction to the server to download and install LaunchAgent, this tool assists the malware in remaining persistent on the system even if the machine is rebooted. Once these steps have been completed the malware will begin carrying out its main function, information stealing.

The malware does this by being able to hijack the victim’s microphone, camera, and keyboard, as well as grab and send files to the attacker's command-and-control server. SentinelLabs says that at least one US organization has been caught up in attacks of this nature and developers in Asia may have also succumbed to the campaign, which was in operation at least between July and October last year. Samples of the backdoors were uploaded to VirusTotal on August 5 and October 13. XcodeSpy was first uploaded on September 4, however, the researchers suspect the attacker may have uploaded the sample themselves to test detection rates. In concluding researchers noted,

“… XcodeSpy takes the form of a trojanized Xcode project, making it lighter and easier to distribute than a full version of the Xcode IDE. While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software. It is entirely possible that XcodeSpy may have been targeted at a particular developer or group of developers, but there are other potential scenarios with such high-value victims. Attackers could simply be trawling for interesting targets and gathering data for future campaigns, or they could be attempting to gather AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures. These suggestions do not exhaust the possibilities, nor are they mutually exclusive.”

Researchers advise that, “all Apple developers are cautioned to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects.”

Not the First Time

XcodeSpy is by no means the first time Xcode developers have been targeted by threat actors. In 2015 after Chinese iOS developers disclosed suspicious-looking code found on the Sina Weibo app store. After analyzing the relevant samples Palo Alto Network’s Unit 42 confirmed the suspicious code was indeed a novel form of malware. Called XcodeGhost, the malware was determined to be the first compiler malware in OS X with the malware been injected into compromised Xcode installers. The malicious installers were then uploaded to Baidu’s cloud file sharing service for use by Chinese iOS/OS X developers. XcodeGhost exploits Xcode’s default search paths for system frameworks and has successfully infected multiple iOS apps created by infected developers. At least two iOS apps were submitted to App Store, successfully passed Apple’s code review, and were published for public download resulting in several Chinese developers unwittingly downloading the malware.

As with XcodeSpy, XcodeGhost was designed to steal and exfiltrate data to the attacker's command-and-control server. At the time this lead researchers to conclude,

“XcodeGhost disclosed a very easy way to Trojanize apps built with Xcode. In fact, attackers do not need to trick developers into downloading untrusted Xcode packages, but can write an OS X malware that directly drops a malicious object file in the Xcode directory without any special permission…Additionally, although Apple’s code review for App Store submissions is very strict, some applications are never reviewed by Apple.If the iOS app is used by an enterprise internally, for example, it will be distributed in-house and won’t go through the App Store.In the same example, an OS X app can also be infected, and lots of OS X apps are directly distributed via the Internet other than App Stores.”

Closer to the present day TrendMicro discovered XCSSET with the firm publishing a malware analysis white paper in August 2020. At the time of discovery, it was not yet known the exact method of how the malware was delivered to victims. It was believed that the malware was wormed into Xcode projects and similar to the above-mentioned malware strains the malicious code is run when the Xcode project is run and the malicious payload is then dropped. The main XCSSET payload would be the last payload to be dropped once the victim’s machine had been fully compromised.

In this case, the malware will specifically target Safari, Apple’s proprietary browser, including development versions and makes use of two vulnerabilities to steal victim data. The first of the flaws were found in Data Vault where attackers could circumvent the protections macOS puts in place for Safari cookie files via SSHD. The second vulnerability of note is due to how the Safari WebKit operates. Normally, launching the kit requires a user to submit their password, but attackers found a bypass that can be used to perform malicious operations via the un-sandboxed Safari browser. The security issues allow Safari cookies to be read and dumped, and these packets of data are then used to inject JavaScript-based backdoors into displayed pages via a Universal Cross-site Scripting (UXSS) attack.

Trend Micro believes the UXSS element of the attack chain could be used not only to steal general user information, but also to modify browser sessions to display malicious websites, change cryptocurrency wallet addresses, harvest Apple Store credit card information, and steal credentials from sources including Apple ID, Google, Paypal, and Yandex. The malware is also able to steal a variety of other user data, including Evernote content, Notes information, and communication from Skype, Telegram, QQ, and WeChat applications. Also, XCSSET can take screenshots, exfiltrate data and send stolen files to a command-and-control server. Researchers further believed that the malware contained a ransomware module for file encryption and blackmail demand messages, but the module had not been used in attacks the security firm witnessed.

Following the discovery of XcodeSpy, researchers are worried they are seeing a trend emerge in malware development where developers are targeted as a means of initial compromise to carry out larger supply chain attacks as was seen with the recent SolarWinds incident. This is by no means an unreasonable fear given that with all three of the malware strains discussed above that target Xcode projects, one of the main purposes of the malware was data theft, a hallmark of the initial steps taken to complete a successful supply chain attack. Steal credentials to gain wider access to a targeted network. It is also possible that by compromising Xcode projects attackers could compromise companies other than the developer's own.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal