macOS malware Targets XcodeSpy Targets Xcode Developers with EggShell Backdoor

Recently, the cybersecurity researchers have detected a new malware that is targeting the Xcode developers by adopting the platform’s scripting abilities so that it can install a backdoor on macOS.

Xcode is a free application development environment that is produced by Apple, and it enables the developers to construct different applications that operate on macOS, iOS, tvOS, and watchOS. 

Not only this but the cybersecurity researchers of SentinelLabs have also affirmed that, the threat actors are exploiting the “Run Script” feature in the IDE to poison Xcode projects that are shared between any two or more developers.

Abusing Run Script Functionality of Xcode

The cybersecurity analyst of SentinelOne has identified a malicious version of the authorized iOS “TabBarInteraction” Xcode project and this project is being disseminated in a supply-chain attack.

However, in this attack, all the hackers have copies of the legitimate TabBarInteraction design and later the hackers have combined a confused malicious ‘Run Script’ script.

This malicious version of the project has been dubbed as’XcodeSpy’. Moreover, the EggShell backdoor enables the hackers to upload files, download files, execute commands, and snoop on a victim’s microphone, camera, and keyboard activity.

Apart from this, the SentinelOne is the only cybersecurity firm that is aware of the only one-in-the-wild victim of this attack, and it is still not clear that how the malicious Xcode project was being disseminated.

Windows is also targeted by the Dev projects

These malicious development projects are often used to target Windows developers. And recently, in the month of January Google has revealed that the North Korean Lazarus hacking group has been conducting a social engineering attack upon all the cybersecurity researchers.

All the hackers have designed online ‘security researchers’ to execute this attack, the personas are being used to contact security researchers for collaboration on vulnerability and exploit advancement.

However, in this collaboration, the threat actors sent different malicious Visual Studio Projects that generally install the custom backdoors on the researcher’s computers when created.

Detection and Mitigation

Moreover, the cybersecurity experts asserted that all C2s, path names, and encrypted strings are extremely customizable and straightforward to change. That’s why all these may only be helpful as symbols of the past trade-offs for all these particular samples. 

But, a behavioral discovery clarification is always required to adequately detect the proximity of XcodeSpy payloads. Not only this but all the users should switch to the relevant parent folder in which they collect all the Xcode projects before running the command.

The XcodeSpy simply adopts the form of a trojanized Xcode project, and that’s why it makes the whole function lighter and easier to administer rather than a full version of the Xcode IDE. 

While the damage position has not been revealed yet by the analysts, thus from the view of confidentiality, the company has been frequently attacked by North Korean APT hacker groups.

Furthermore, the threat actors are using XcodeSpy that took place in July-October 2020, and SentinelOne has suggested the developers in Asia by concluding that there are many other different companies that have been attacked.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the path…

2 days ago

Weaponized LDAP Exploit Deploys Information-Stealing Malware

Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake proof-of-concept…

2 days ago

New NonEuclid RAT Evades Antivirus and Encrypts Critical Files

A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has been…

2 days ago

Hackers Targeting Users Who Lodged Complaints On Government portal To Steal Credit Card Data

Fraudsters in the Middle East are exploiting a vulnerability in the government services portal. By…

2 days ago

Juniper Networks Vulnerability Let Remote Attacker Execute Network Attacks

Juniper Networks has disclosed a significant vulnerability affecting its Junos OS and Junos OS Evolved…

2 days ago

Beware! Fake Crowdstrike Recruitment Emails Spread Cryptominer Malware

CrowdStrike, a leader in cybersecurity, uncovered a sophisticated phishing campaign that leverages its recruitment branding…

2 days ago