{"id":31930,"date":"2021-03-19T17:01:23","date_gmt":"2021-03-19T21:01:23","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=31930"},"modified":"2021-03-19T17:02:57","modified_gmt":"2021-03-19T21:02:57","slug":"xcodespy-malware","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/03\/19\/xcodespy-malware\/","title":{"rendered":"XcodeSpy Malware"},"content":{"rendered":"

Phil Stokes<\/a> (via Patrick Wardle<\/a>, MacRumors<\/a>):<\/p>\n

Threat actors are abusing the Run Script feature in Apple’s Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects.<\/p>\n

XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism.<\/p>\n

The backdoor has functionality for recording the victim’s microphone, camera and keyboard, as well as the ability to upload and download files.<\/p>\n

[…]<\/p>\n

The sample we analyzed used a copy of a legitimate open-source project that can be found on Github called TabBarInteraction<\/a>.<\/p><\/blockquote>\n\n

Jonathan Zdziarski<\/a> (in 2015, via mikey<\/a>):<\/p>\n

Early this morning, The Intercept posted several documents<\/a> pertaining to CIA’s research into compromising iOS devices (along with other things) through Sandia National Laboratories, a major research and development contractor to the government. The documents outlined a number of project talks taking place at a closed government conference referred to as the Jamboree in 2012.<\/p>

[…]<\/p>

Strawhorse, a malicious implementation of Xcode, where App Store developers (likely not suspected of any crimes) would be targeted, and their dev machines backdoored to give CIA injection capabilities into compiled applications. The malicious Xcode variant was capable of stealing the developer’s private codesign keys, which would be smuggled out with compiled binaries. It would also disable securityd so that it would not warn the developer that this was happening. The stolen keys could later be used to inject and sign payloads into the developer’s own products without their permission or knowledge, which could then be widely disseminated through the App Store channels. This could include trojans or watermarks, as the document suggests. With the developer keys extracted, binary modifications could also be made at a later time, if such an injection framework existed.<\/p>

In spite of what The Intercept wrote, there is no evidence that Strawhorse was slated for use en masse, or that it even reached an operational phase.<\/p><\/blockquote>\n\n

Previously:<\/p>\n