iOS developers targeted by new XcodeSpy malware

XcodeSpy is a new supply-chain attack aimed at Mac developers. Here is how to detect and remediate it.

March 19 2021 by

Stuart Ashenbrenner

A person spies through a window shade -- XcodeSpy is a new supply-chain attack.

Continuing the recent series of supply-chain attacks, threat actors are targeting iOS developers with an Xcode project known as XcodeSpy.

What is X-Code and how does this malware use it?

Xcode is a free IDE application created by Apple that can be downloaded from the Mac App Store. It allows developers to create applications designed to run on macOS, iOS, iPadOS, watchOS and tvOS. It is a legitimate piece of software that any organization building software for the Apple ecosystem is likely using extensively.

This new piece of malware, discovered by researchers from cybersecurity firm SentinelOne, infiltrates Xcode users similarly to another piece of malware called XCSSET via Xcode.

XcodeSpy: looks legit on GitHub

XcodeSpy masquerades as a legitimate software project on GitHub. It is based on the legitimate TabBarInteraction Xcode project, an open-source project on GitHub, intended for making advanced animated user interface capabilities available to iOS developers.

One infection can mean broad access

The big concern is that malware introduced to developer devices creates the potential for an attacker to interfere with the development of legitimate software that is then distributed to the developer’s customers. To get a feeling for the potential for damage that this kind of attack can cast, we can look to the most high-profile case of an attacker gaining access to developer machines: Sloarigate to disrupt the development process: Solarigate. Developers are a perfect target for a threat actor that is looking to gain access to a broad range of targets.

Detecting XcodeSpy

When the XcodeSpy project is built in XCode, it runs an obfuscated script that deploys what appears to be a customized version of the EggShell malware. This malware establishes persistence through a Launchagent and opens a remote shell to the threat actor’s server, cralev[.]me, which has now been taken offline. There is some evidence that the malware could then collect data from the device as well as access the microphone and the camera.

As a script, it has been able to evade detection by many common security tools. When the script is executed from Xcode, the malware’s parent process is Xcode which routinely launches scripts for legitimate development purposes, making it easy to miss.

One indicator of compromise that has been discovered across multiple variants of XcodeSpy is the string /private/tmp/.tag. This was also found in variants of the EggShell malware as encrypted string P4CCeYZxhHU/hH2APz6EcXc=. EggShell, an open-source post-exploitation tool intended for penetration testing. It exhibits similar behaviors to EggShell malware and shares a common string /tmp/.avatmp found to be encrypted in the EggShell malware.

This indicator along with the known command-and-control (C2) servers, while helpful, may not be enough to identify a potential infection. Detection requires monitoring of the application's behavior to identify suspicious activity.

Jamf Protect detects XcodeSpy and variants

Fortunately, Jamf Protect can help -- not only recognizing these variants by their signatures, but also by the malware’s behavior.

This is a great reminder of the importance of vetting third-party and open-source components used throughout development projects. Just because project source code is available publicly does not mean that the component is inherently safe. The concept of “many eyes find security issues” has been getting less reliable as more open-source code has been built and malware authors have gotten better at hiding the true intentions of their code using obfuscation. Often the applications you suspect the least are prime targets for adversaries to attack you.

Get behavioral-based endpoint protection purpose-built for Mac.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.