iOS Developers Targeted With New XcodeSpy macOS Malware (therecord.media) 7
Security researchers have uncovered a new type of macOS malware that has been used in the wild to attack iOS software developers through trojanized Xcode projects. From a report: Named XcodeSpy, the malware consists of a malicious Run Script that was added to a legitimate Xcode project named TabBarInteraction. Security firm SentinelOne, which analyzed the malware in a report published today and shared with The Record, said the malicious script ran every time the Xcode project was built, installing a LaunchAgent for reboot persistence and then downloading a second payload, a macOS backdoor named EggShell. "The backdoor has functionality for recording the victim's microphone, camera and keyboard, as well as the ability to upload and download files," said Phil Stokes, macOS malware researcher at SentinelOne.
While the XcodeSpy server infrastructure that controlled the LaunchAgent was down, Stokes said they were able to discover several instances of the EggShell backdoor uploaded on the VirusTotal web-based malware scanner. Stokes said SentinelOne first learned of this malware following a tip from an anonymous researcher, who found an instance of the EggShell backdoor on the network of a US-based company. "The victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities," Stokes said, but the researcher told The Record they were not able to definitively link the malware to a nation-state operation beyond a reasonable doubt.
While the XcodeSpy server infrastructure that controlled the LaunchAgent was down, Stokes said they were able to discover several instances of the EggShell backdoor uploaded on the VirusTotal web-based malware scanner. Stokes said SentinelOne first learned of this malware following a tip from an anonymous researcher, who found an instance of the EggShell backdoor on the network of a US-based company. "The victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities," Stokes said, but the researcher told The Record they were not able to definitively link the malware to a nation-state operation beyond a reasonable doubt.
Here's the command to check (Score:5, Informative)
From the article, if you want to check for this as well:
find . -name "project.pbxproj" -print0 | xargs -0 awk '/shellScript/ && /eval/{print "\033[37m" $0 "\033[31m" FILENAME}'
It's looking specifically for the problematic unscript, not just any project with a runscript...
It is a really good reminder that if you ever download a sample application to run from Xcode, you should check if it has any runscripts, and what they do.
Re: (Score:1)
Also from the article:
"The SentinelOne team has also made available a simple terminal command that can help macOS software devs find traces of malicious XcodeSpy Run Scripts in their projects."
They know their audience, "software devs" like SuperKendall, are incapable of doing this on their own. Really sophisticated stuff.
The Record? (Score:2)
Is that a journal, or a singer, or something on the calendar? I've been confused ever since The Weeknd arrived on the scene.
Neo-APT cyber waffle (Score:1)