We recently learned of an Xcode project with Trojans in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate open source project available on GitHub. The project offers iOS developers several advanced features to animate the iOS tab bar based on user interaction. The XcodeSpy version, however, has been subtly changed to run an obfuscated Run Script when the developer build target is launched.
XcodeSpy takes advantage of an IDE functionality that allows executing a script when launching an instance of the application, this script would download a variant of the EggShell Backdoor on the machine from which the attacker had access to both the micro, the camera and the keyboard of the victim as well as the possibility of uploading or downloading files. According to SentinelLabs sources, the payload used in this attack was detected for the first time in early September 2020 when it was uploaded to VirusTotal, shortly after the first of its C2 servers appeared.
This XcodeSpy masquerades as a genuine Xcode Software project to exploit the Run Script function in the Xcode IDE once it is run on the computer. In fact, two variants of the malware have already been discovered, which is suspected to have been spreading between July and October of last year, so the scope and infected computers are still unknown, but it could be quite extensive and could even still be discovered more in the future.
In Centinel Labs they also believe that there are surely new unidentified XcodeSpy variants that complicate detection so that the spread of malware reaches as far as possible and to the largest number of Macs. What is most striking is the choice of Apple developers such as the target victims of the attack and, although it is also true that only a relatively small number of them have been affected, it is recommended that all company developers check their computers for malicious code since, as we have seen, this threat can be used to record the victim’s microphone, camera and keyboard, as well as the ability to upload and download files.
Other reads:
Silver Sparrow, A malware that affected macOS
What kind of spyware does Android face
[…] See also:PortDoor, the backdoor malware targeting RussiaXcodeSpy new malicious project against MacOS […]
[…] reads:XcodeSpy new malicious project against MacOSSilver Sparrow, A malware that affected […]
[…] also:XcodeSpy new malicious project against MacOSxHelper Trojan that hits Android real […]