Friday, June 14, 2024

macOS malware Targets XcodeSpy Targets Xcode Developers with EggShell Backdoor

Recently, the cybersecurity researchers have detected a new malware that is targeting the Xcode developers by adopting the platform’s scripting abilities so that it can install a backdoor on macOS.

Xcode is a free application development environment that is produced by Apple, and it enables the developers to construct different applications that operate on macOS, iOS, tvOS, and watchOS. 

Not only this but the cybersecurity researchers of SentinelLabs have also affirmed that, the threat actors are exploiting the “Run Script” feature in the IDE to poison Xcode projects that are shared between any two or more developers.

Abusing Run Script Functionality of Xcode

The cybersecurity analyst of SentinelOne has identified a malicious version of the authorized iOS “TabBarInteraction” Xcode project and this project is being disseminated in a supply-chain attack.

However, in this attack, all the hackers have copies of the legitimate TabBarInteraction design and later the hackers have combined a confused malicious ‘Run Script’ script.

This malicious version of the project has been dubbed as’XcodeSpy’. Moreover, the EggShell backdoor enables the hackers to upload files, download files, execute commands, and snoop on a victim’s microphone, camera, and keyboard activity.

Apart from this, the SentinelOne is the only cybersecurity firm that is aware of the only one-in-the-wild victim of this attack, and it is still not clear that how the malicious Xcode project was being disseminated.

Windows is also targeted by the Dev projects

These malicious development projects are often used to target Windows developers. And recently, in the month of January Google has revealed that the North Korean Lazarus hacking group has been conducting a social engineering attack upon all the cybersecurity researchers.

All the hackers have designed online ‘security researchers’ to execute this attack, the personas are being used to contact security researchers for collaboration on vulnerability and exploit advancement.

However, in this collaboration, the threat actors sent different malicious Visual Studio Projects that generally install the custom backdoors on the researcher’s computers when created.

Detection and Mitigation

Moreover, the cybersecurity experts asserted that all C2s, path names, and encrypted strings are extremely customizable and straightforward to change. That’s why all these may only be helpful as symbols of the past trade-offs for all these particular samples. 

But, a behavioral discovery clarification is always required to adequately detect the proximity of XcodeSpy payloads. Not only this but all the users should switch to the relevant parent folder in which they collect all the Xcode projects before running the command.

The XcodeSpy simply adopts the form of a trojanized Xcode project, and that’s why it makes the whole function lighter and easier to administer rather than a full version of the Xcode IDE. 

While the damage position has not been revealed yet by the analysts, thus from the view of confidentiality, the company has been frequently attacked by North Korean APT hacker groups.

Furthermore, the threat actors are using XcodeSpy that took place in July-October 2020, and SentinelOne has suggested the developers in Asia by concluding that there are many other different companies that have been attacked.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles