Jeremys
Essential
- Joined
- 28.09.20
- Messages
- 75
- Reaction score
- 232
- Points
- 18
The XcodeSpy malware consists of a Run Script added to the legitimate Xcode project TabBarInteraction.
Specialists of the information security company SentinelOne told about a new type of malware for macOS, which is used in attacks on iOS developers through Xcode Trojan projects.
The XcodeSpy malware consists of a Run Script added to a legitimate Xcode project called TabBarInteraction. This malicious script runs every time an Xcode project is developed, installs LaunchAgent to maintain persistence after a system reboot, and then loads a secondary payload-the macOS backdoor EggShell.
According to experts who analyzed the backdoor, it has the functions of recording audio through the microphone of the victim's device, as well as recording video and typed text on the keyboard. In addition, EggShell allows you to upload and download files.
Although the LaunchAgent management infrastructure of XcodeSpy servers was disabled, SentinelOne security researcher Phil Stokes managed to find several EggShell backdoor installations uploaded to VirusTotal.
Stokes first learned about the backdoor from an anonymous researcher who discovered it in the networks of a certain American company. According to representatives of the company, it is regularly subjected to cyber attacks by North Korean APT groups, and EggShell was discovered during regular scans of the network for signs of the presence of North Korean hackers. However, as Stokes noted, the experts failed to connect EggShell 100% with the North Korean APT groups.
Based on the information gathered during the investigation, experts believe that the attackers were active in the period from July to October 2020 and primarily attacked developers from Asia.
Specialists of the information security company SentinelOne told about a new type of malware for macOS, which is used in attacks on iOS developers through Xcode Trojan projects.
The XcodeSpy malware consists of a Run Script added to a legitimate Xcode project called TabBarInteraction. This malicious script runs every time an Xcode project is developed, installs LaunchAgent to maintain persistence after a system reboot, and then loads a secondary payload-the macOS backdoor EggShell.
According to experts who analyzed the backdoor, it has the functions of recording audio through the microphone of the victim's device, as well as recording video and typed text on the keyboard. In addition, EggShell allows you to upload and download files.
Although the LaunchAgent management infrastructure of XcodeSpy servers was disabled, SentinelOne security researcher Phil Stokes managed to find several EggShell backdoor installations uploaded to VirusTotal.
Stokes first learned about the backdoor from an anonymous researcher who discovered it in the networks of a certain American company. According to representatives of the company, it is regularly subjected to cyber attacks by North Korean APT groups, and EggShell was discovered during regular scans of the network for signs of the presence of North Korean hackers. However, as Stokes noted, the experts failed to connect EggShell 100% with the North Korean APT groups.
Based on the information gathered during the investigation, experts believe that the attackers were active in the period from July to October 2020 and primarily attacked developers from Asia.