Hackers appear to be targeting Apple developers with a backdoor that has worked its way into a shared Xcode project, according to SentinelOne research published Thursday.
In a blog post, SentinelOne says an external researcher alerted the company about malicious code that was tainting a development project in Xcode, Apple’s integrated development environment (IDE) for macOS.
The nefarious project, which the researchers say abuses the Run Script feature in Xcode, is a malicious version of an open-source project that’s been available on GitHub that’s intended to help developers with features in animating the iOS Tab Bar.
The attackers have made a version of the project to execute a malicious script and target a victim’s development machine with a backdoor. If they leverage the backdoor properly the attackers could record through the victim’s microphone or camera, or log keystrokes from their keyboard.
The hackers could also upload or download files, according to the research.
The revelation that there is malicious code taking advantage of a shared Xcode project in the wild could raise concerns about whether the attackers are interested in targeting developers in order to conduct a supply chain-based attack, according to SentinelOne researchers.
“Targeting software developers is the first step in a successful supply chain attack,” in which hackers would launch malicious code in a software update, the SentinelOne researchers write in a blog on the matter. “One way to do so is to abuse the very development tools necessary to carry out this work.”
There is “no indication in the console or debugger to indicate execution” of the malicious code, the researchers note.
Supply chain attacks have long been of concern for developers, but especially in recent months have come to the fore as the federal government and private sector work to respond to the SolarWinds hacking, in which suspected Russian actors launched a widespread espionage operation through a bad software update.
There are two variants of the custom backdoor, according to the SentinelOne researchers, who have named the backdoor “EggShell.” Both samples were uploaded to the malware sharing repository VirusTotal in August and October of last year. One of the samples was found on a victim’s Mac in late 2020, the researchers said.
The researchers did not identify the victim to maintain their anonymity.
It’s not the first time hackers have shown an interest in targeting developers. Just this year Google’s Threat Analysis Group revealed suspected North Korean government-linked hackers were targeting exploit developers and researchers. Xcode has also been a vector for infecting Apple developers before — in 2015 XcodeGhost offered developers in China a version of Xcode that was tainted with malicious code as well, according to previous Palo Alto Networks research.
SentinelOne does not attribute the latest Xcode issue to the suspected North Korean government-linked hackers.
The way the attackers worked the Eggshell backdoor into the Xcode project in question this time could apply in other scenarios, SentinelOne researchers warned, noting they do not know the true motivation behind the exploitation
“The simple technique for hiding and launching a malicious script used by XcodeSpy could be deployed in any shared Xcode project,” the blog states. “Consequently, all Apple developers are cautioned to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects.”
SentinelOne provided a list of known indicators of compromise to try to help threat hunters and developers sidestep any attacks leveraging this trojanized project. The indicators may only be related to past compromise, however, the researchers note.