What is X-Code and how does this malware use it?
Xcode is a free IDE application created by Apple that can be downloaded from the Mac App Store. It allows developers to create applications designed to run on macOS, iOS, iPadOS, watchOS and tvOS. It is a legitimate piece of software that any organization building software for the Apple ecosystem is likely using extensively.
This new piece of malware, discovered by researchers from cybersecurity firm SentinelOne, infiltrates Xcode users similarly to another piece of malware called XCSSET via Xcode.
XcodeSpy: looks legit on GitHub
XcodeSpy masquerades as a legitimate software project on GitHub. It is based on the legitimate TabBarInteraction Xcode project, an open-source project on GitHub, intended for making advanced animated user interface capabilities available to iOS developers.
One infection can mean broad access
The big concern is that malware introduced to developer devices creates the potential for an attacker to interfere with the development of legitimate software that is then distributed to the developer’s customers. To get a feeling for the potential for damage that this kind of attack can cast, we can look to the most high-profile case of an attacker gaining access to developer machines: Sloarigate to disrupt the development process: Solarigate. Developers are a perfect target for a threat actor that is looking to gain access to a broad range of targets.
When the XcodeSpy project is built in XCode, it runs an obfuscated script that deploys what appears to be a customized version of the EggShell malware. This malware establishes persistence through a Launchagent and opens a remote shell to the threat actor’s server, cralev[.]me, which has now been taken offline. There is some evidence that the malware could then collect data from the device as well as access the microphone and the camera.
As a script, it has been able to evade detection by many common security tools. When the script is executed from Xcode, the malware’s parent process is Xcode which routinely launches scripts for legitimate development purposes, making it easy to miss.
One indicator of compromise that has been discovered across multiple variants of XcodeSpy is the string /private/tmp/.tag. This was also found in variants of the EggShell malware as encrypted string P4CCeYZxhHU/hH2APz6EcXc=. EggShell, an open-source post-exploitation tool intended for penetration testing. It exhibits similar behaviors to EggShell malware and shares a common string /tmp/.avatmp found to be encrypted in the EggShell malware.
This indicator along with the known command-and-control (C2) servers, while helpful, may not be enough to identify a potential infection. Detection requires monitoring of the application's behavior to identify suspicious activity.
Jamf Protect detects XcodeSpy and variants
Fortunately, Jamf Protect can help -- not only recognizing these variants by their signatures, but also by the malware’s behavior.
This is a great reminder of the importance of vetting third-party and open-source components used throughout development projects. Just because project source code is available publicly does not mean that the component is inherently safe. The concept of “many eyes find security issues” has been getting less reliable as more open-source code has been built and malware authors have gotten better at hiding the true intentions of their code using obfuscation. Often the applications you suspect the least are prime targets for adversaries to attack you.
Get behavioral-based endpoint protection purpose-built for Mac.