macOS malware Targets XcodeSpy Targets Xcode Developers with EggShell Backdoor

Recently, the cybersecurity researchers have detected a new malware that is targeting the Xcode developers by adopting the platform’s scripting abilities so that it can install a backdoor on macOS.

Xcode is a free application development environment that is produced by Apple, and it enables the developers to construct different applications that operate on macOS, iOS, tvOS, and watchOS. 

Not only this but the cybersecurity researchers of SentinelLabs have also affirmed that, the threat actors are exploiting the “Run Script” feature in the IDE to poison Xcode projects that are shared between any two or more developers.

Abusing Run Script Functionality of Xcode

The cybersecurity analyst of SentinelOne has identified a malicious version of the authorized iOS “TabBarInteraction” Xcode project and this project is being disseminated in a supply-chain attack.

However, in this attack, all the hackers have copies of the legitimate TabBarInteraction design and later the hackers have combined a confused malicious ‘Run Script’ script.

This malicious version of the project has been dubbed as’XcodeSpy’. Moreover, the EggShell backdoor enables the hackers to upload files, download files, execute commands, and snoop on a victim’s microphone, camera, and keyboard activity.

Apart from this, the SentinelOne is the only cybersecurity firm that is aware of the only one-in-the-wild victim of this attack, and it is still not clear that how the malicious Xcode project was being disseminated.

Windows is also targeted by the Dev projects

These malicious development projects are often used to target Windows developers. And recently, in the month of January Google has revealed that the North Korean Lazarus hacking group has been conducting a social engineering attack upon all the cybersecurity researchers.

All the hackers have designed online ‘security researchers’ to execute this attack, the personas are being used to contact security researchers for collaboration on vulnerability and exploit advancement.

However, in this collaboration, the threat actors sent different malicious Visual Studio Projects that generally install the custom backdoors on the researcher’s computers when created.

Detection and Mitigation

Moreover, the cybersecurity experts asserted that all C2s, path names, and encrypted strings are extremely customizable and straightforward to change. That’s why all these may only be helpful as symbols of the past trade-offs for all these particular samples. 

But, a behavioral discovery clarification is always required to adequately detect the proximity of XcodeSpy payloads. Not only this but all the users should switch to the relevant parent folder in which they collect all the Xcode projects before running the command.

The XcodeSpy simply adopts the form of a trojanized Xcode project, and that’s why it makes the whole function lighter and easier to administer rather than a full version of the Xcode IDE. 

While the damage position has not been revealed yet by the analysts, thus from the view of confidentiality, the company has been frequently attacked by North Korean APT hacker groups.

Furthermore, the threat actors are using XcodeSpy that took place in July-October 2020, and SentinelOne has suggested the developers in Asia by concluding that there are many other different companies that have been attacked.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago