Cybercriminals are now serving macOS malware in trojanized Apple Xcode developer projects. The malicious project installs a variant of the EggShell backdoor.
Decoding Xcode
Researchers discovered hackers using a malicious code project called XcodeSpy to infect Apple Xcode.
It utilizes the Run Script feature of Apple’s IDE to deliver infect unsuspecting Apple Developers and make way for an EggShell backdoor variant.
The backdoor allows hackers to record the victim’s camera, microphone, keyboard movements, and upload/download files.
The trojanized Xcode project is a modified version of a genuine open-source project, TabBarInteraction, available on GitHub. The project provides features for animating the iOS Tab Bar to iOS developers.
Recent threats to XCode
A few months ago, a security bypass vulnerability (CVE-2021-1800) was found in the Apple Xcode version 12.3, which could allow an attacker to gain access to the vulnerable system.
In August 2020, an attacker was targeting Mac users via Xcode developer projects, infecting the victims with XCSSET suite of malware.
Conclusion
Although this attack appears to be targeting developers directly, one additional step may lead this attack to cascade the risks to the users or clients of the developers, leading to another supply-chain mishap. Therefore, developers are advised to exercise caution.