Xcode is a free application development environment that was created by Apple and that allows developers to create apps that run on macOS, iOS, tvOS, and watchOS. 

How did the hackers make use of Xcode?

The hackers are developing malicious versions of popular projects in the hope they will be included in other developer’s applications; this way, when the original applications are compiled, the malicious component is likely to infect their computer in a supply-chain attack.

The threat actors have cloned the legitimate TabBarInteraction project and added a malicious ‘Run Script’ to the project therefore when a project is built, Xcode will automatically execute the Run Script in order to open a remote shell on the threat actor’s server, 

“The script creates a hidden file called .tag in the /tmp directory, which contains a single command: mdbcmd. This in turn is piped via a reverse shell to the attackers C2,” SentinelOne researcher Phil Stokes explains in a new report.

Researchers at SentinelOne who learned of this malicious project stated that, at this moment, the command and control server is no longer available, so we are unable to pinpoint what actions were actually performed.

“By the time we discovered the malicious Xcode project, the C2 at cralev[.]me was already offline so it was impossible to directly determine the result of the mdbcmd command. Fortunately there are two samples of the EggShell backdoor on VirusTotal that contain the telltale XcodeSpy string /private/tmp/.tag.” 


Open source Xcode projects can be found on GitHub, but, in this case, XcodeSpy projects are offering “advanced features” for animating iOS tab bars, therefore after the initial build is downloaded and launched, a malicious script is deployed to also add the EggShell backdoor. 

We don’t have any data on the distribution and that’s something we’d very much like to hear more about from the wider community. Part of our motivation for making the above public at this moment is to raise awareness and see if more of the missing details come to light from the exposure. 


What other systems were targeted by similar attacks?

Google declared that in January this year the North Korean Lazarus hacking group was leading attacks against security researchers.

The threat actors created online ‘security researcher’ personas that were used for contacting security researchers for specific collaboration on vulnerability and exploit development. 

After starting the collaboration, the attackers sent malicious Visual Studio Projects that installed custom backdoors on the researcher’s computers when built.

A safer way to approach this type of situation would be for the developers to analyze third-party packages for building scripts that are executed when the project is compiled, and if anything looks suspicious, developers should not use the package.

What Is a Supply Chain Attack?

The Lazarus Group Used Custom Malware to Target Defense Industry

Heimdal Security Is Nominated for Anti Malware Solution of the Year

Leave a Reply

Your email address will not be published. Required fields are marked *