Friday, March 29, 2024

macOS malware Targets XcodeSpy Targets Xcode Developers with EggShell Backdoor

Recently, the cybersecurity researchers have detected a new malware that is targeting the Xcode developers by adopting the platform’s scripting abilities so that it can install a backdoor on macOS.

Xcode is a free application development environment that is produced by Apple, and it enables the developers to construct different applications that operate on macOS, iOS, tvOS, and watchOS. 

Not only this but the cybersecurity researchers of SentinelLabs have also affirmed that, the threat actors are exploiting the “Run Script” feature in the IDE to poison Xcode projects that are shared between any two or more developers.

Abusing Run Script Functionality of Xcode

The cybersecurity analyst of SentinelOne has identified a malicious version of the authorized iOS “TabBarInteraction” Xcode project and this project is being disseminated in a supply-chain attack.

However, in this attack, all the hackers have copies of the legitimate TabBarInteraction design and later the hackers have combined a confused malicious ‘Run Script’ script.

This malicious version of the project has been dubbed as’XcodeSpy’. Moreover, the EggShell backdoor enables the hackers to upload files, download files, execute commands, and snoop on a victim’s microphone, camera, and keyboard activity.

Apart from this, the SentinelOne is the only cybersecurity firm that is aware of the only one-in-the-wild victim of this attack, and it is still not clear that how the malicious Xcode project was being disseminated.

Windows is also targeted by the Dev projects

These malicious development projects are often used to target Windows developers. And recently, in the month of January Google has revealed that the North Korean Lazarus hacking group has been conducting a social engineering attack upon all the cybersecurity researchers.

All the hackers have designed online ‘security researchers’ to execute this attack, the personas are being used to contact security researchers for collaboration on vulnerability and exploit advancement.

However, in this collaboration, the threat actors sent different malicious Visual Studio Projects that generally install the custom backdoors on the researcher’s computers when created.

Detection and Mitigation

Moreover, the cybersecurity experts asserted that all C2s, path names, and encrypted strings are extremely customizable and straightforward to change. That’s why all these may only be helpful as symbols of the past trade-offs for all these particular samples. 

But, a behavioral discovery clarification is always required to adequately detect the proximity of XcodeSpy payloads. Not only this but all the users should switch to the relevant parent folder in which they collect all the Xcode projects before running the command.

The XcodeSpy simply adopts the form of a trojanized Xcode project, and that’s why it makes the whole function lighter and easier to administer rather than a full version of the Xcode IDE. 

While the damage position has not been revealed yet by the analysts, thus from the view of confidentiality, the company has been frequently attacked by North Korean APT hacker groups.

Furthermore, the threat actors are using XcodeSpy that took place in July-October 2020, and SentinelOne has suggested the developers in Asia by concluding that there are many other different companies that have been attacked.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles