Infections are propagating via Xcode developer projects, researchers noted; the cybercriminals behind the campaign are injecting the malware into them, according to Trend Micro. Xcode consists of a suite of free, open software development tools developed by Apple for creating software for macOS, iOS, iPadOS, watchOS and tvOS. Thus, any apps built on top of the projects automatically include the malicious code.
The initial discovery of the threat came when it was discovered that developer’s Xcode project at large, contained the source malware — which leads to a rabbit hole of malicious payloads, according to an analysis [PDF] from Trend Micro, released on Friday. “The threat escalates when affected developers share their projects via platforms such as GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. This threat exists in other sources including VirusTotal and Github, which indicates this threat is at large.”
The initial payload tucked into the projects comes in the form of a Mach-O executable. The researchers were able to trace an infected project’s Xcode work data files and found a hidden folder containing Mach-O, located in one of the .xcodeproj files.
When executed, the Mach-O malware connects to a hardcoded command-and-control (C2) server address, and begins to take screenshots of the current desktop at the rate of once a minute; once a new screenshot is taken, the previous one is deleted, the analysis noted.
However, Mach-O’s main purpose is to download and run the second-stage payload, an AppleScript file called main.scpt, which carries out most of the malicious behavior.
The research noted that when the “Main” payload is executed, it first harvests basic system information of the infected user, then kills certain running processes if present, including various browsers (Opera, Edge, Firefox, Yandex and Brave) as well as “com.apple.core,” “com.oracle.java” and others.
The payload then gets down to real business, obtaining and compiling malicious code into a Mac app package. The package name is mapped to an installed, well-known application name, such as Safari. Researchers detailed that it then replaces the app’s corresponding icon file and “Info.plist” to make the fake app look like a real, normal app –and thus, users go to open the normal app, the malicious one opens instead.
According to the analysis, when opened, the fake app package’s malicious capabilities are then executed, in the form of deploying a raft of modules used for various goals: Taking over browsers; stealing information from installed apps including Evernote, Skype and Telegram; and spreading to other hosts. It also has ransomware modules that it can deploy and dozens of other capabilities. Below is a partial list: