macOS malware Targets XcodeSpy Targets Xcode Developers with EggShell Backdoor

Recently, the cybersecurity researchers have detected a new malware that is targeting the Xcode developers by adopting the platform’s scripting abilities so that it can install a backdoor on macOS.

Xcode is a free application development environment that is produced by Apple, and it enables the developers to construct different applications that operate on macOS, iOS, tvOS, and watchOS. 

Not only this but the cybersecurity researchers of SentinelLabs have also affirmed that, the threat actors are exploiting the “Run Script” feature in the IDE to poison Xcode projects that are shared between any two or more developers.

Abusing Run Script Functionality of Xcode

The cybersecurity analyst of SentinelOne has identified a malicious version of the authorized iOS “TabBarInteraction” Xcode project and this project is being disseminated in a supply-chain attack.

However, in this attack, all the hackers have copies of the legitimate TabBarInteraction design and later the hackers have combined a confused malicious ‘Run Script’ script.

This malicious version of the project has been dubbed as’XcodeSpy’. Moreover, the EggShell backdoor enables the hackers to upload files, download files, execute commands, and snoop on a victim’s microphone, camera, and keyboard activity.

Apart from this, the SentinelOne is the only cybersecurity firm that is aware of the only one-in-the-wild victim of this attack, and it is still not clear that how the malicious Xcode project was being disseminated.

Windows is also targeted by the Dev projects

These malicious development projects are often used to target Windows developers. And recently, in the month of January Google has revealed that the North Korean Lazarus hacking group has been conducting a social engineering attack upon all the cybersecurity researchers.

All the hackers have designed online ‘security researchers’ to execute this attack, the personas are being used to contact security researchers for collaboration on vulnerability and exploit advancement.

However, in this collaboration, the threat actors sent different malicious Visual Studio Projects that generally install the custom backdoors on the researcher’s computers when created.

Detection and Mitigation

Moreover, the cybersecurity experts asserted that all C2s, path names, and encrypted strings are extremely customizable and straightforward to change. That’s why all these may only be helpful as symbols of the past trade-offs for all these particular samples. 

But, a behavioral discovery clarification is always required to adequately detect the proximity of XcodeSpy payloads. Not only this but all the users should switch to the relevant parent folder in which they collect all the Xcode projects before running the command.

The XcodeSpy simply adopts the form of a trojanized Xcode project, and that’s why it makes the whole function lighter and easier to administer rather than a full version of the Xcode IDE. 

While the damage position has not been revealed yet by the analysts, thus from the view of confidentiality, the company has been frequently attacked by North Korean APT hacker groups.

Furthermore, the threat actors are using XcodeSpy that took place in July-October 2020, and SentinelOne has suggested the developers in Asia by concluding that there are many other different companies that have been attacked.