Xcode is used by hackers as an attack vector to compromise Apple platform developers with a backdoor

Continue reading
Xcode is used by hackers as an attack vector to compromise Apple platform developers with a backdoor. The cybersecurity researchers uncovered this new trend of an attack last week on Thursday . This trend includes targeting developers and researchers with rogue attacks.
The trojanized Xcode project tracked “XcodeSpy” is actually a tainted version of a certain authorized, open-source project available on GitHub named TabBarInteraction which is made use of by developers to animate iOS tab bars based on user interaction.
"XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer's macOS computer along with a persistence mechanism," SentinelOne researchers stated.
Apple’s integrated development environment (IDE) for macOS, Xcode is used to develop software for maczos, iOS, watchOS, tvOS, and even iPadOS.
In this year itself, a North Korean attack targeted security researchers and exploit developers which involves the sending of a Visual Studio project crafted to load a rogue DLL on Windows systems. This was detected by Google’s Threat Analysis group. Xcode also does almost similar things, with only one difference and that is these attacks are specifically targeting the Apple developers.
"XcodeSpy takes advantage of a built-in feature of Apple's IDE which allows developers to run a custom shell script on launching an instance of their target application," the researchers said. "While the technique is easy to identify if looked for, new or inexperienced developers who are not aware of the Run Script feature are particularly at risk since there is no indication in the console or debugger to indicate execution of the malicious script."
XcodeSpy opts for a simple route as the aim seems to be to strike the developers themselves. However, the final goal behind the exploitation and the identity of the group behind it is still as unclear.
"Targeting software developers is the first step in a successful supply chain attack. One way to do so is to abuse the very development tools necessary to carry out this work," the researchers mentioned.
"It is entirely possible that XcodeSpy may have been targeted at a particular developer or group of developers, but there are other potential scenarios with such high-value victims. Attackers could simply be trawling for interesting targets and gathering data for future campaigns, or they could be attempting to gather AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures."

Backdoor.Daxin, the kernel-mode rootkit Symantec once called the most advanced tool ever tied to a China-linked espionage actor, has been found running again