Was the ‘XcodeSpy’ a Supply Chain Attack Attempt Against macOS?

  • Someone has launched a campaign distributing custom variants of the EggShell backdoor on macOS software developers.
  • The script that runs and tries to lace the target software is obfuscated, and its activity is hidden.
  • There are no indications of trojanized software having been released, but there could be.

There’s a new macOS malware called XcodeSpy, targeting Xcode developers through a custom variant of the EggShell backdoor. The particular piece of software has the capacity to record through the microphone and the camera of the infected device, log keyboard presses, and also upload or download files. Considering that the campaign was specifically targeted to developers, this was very possibly an attempt to launch a catastrophic supply chain attack against macOS, hoping to spread malware to millions of users.

The discovery and detailed report of that comes from SentinelLabs researchers, who sampled a malicious script that contacts the actors’ C2 and fetches the EggShell backdoor on the developer’s machine. The researchers figured that two separate variants were used, featuring slight differences in the encrypted strings for the various file paths.

The analysis indicates that the campaign run between July and October 2020, targeting American and Asian developers. It is possible, though, that the times extend further in either direction.

Source: SentinelLabs

SentinelLabs couldn’t find any trojanized Xcode projects having been released out there. Still, they may exist, so this report is to raise awareness and prompt the developers to check their machines for EggShell infections. To do this, you can run a strict search in the Build Phase of your Xcode project by using the following command:

find . -name "project.pbxproj" -print0 | xargs -0 awk '/shellScript/ && /eval/{print "\033[37m" $0 "\033[31m" FILENAME}' 

If the scan finds any scripts, it will print out a copy of it for you to inspect thoroughly, so make sure to go through this step with the required advertence.

Source: SentinelLabs

The actors are abusing a built-in feature on Apple’s IDE to run custom shell scripts and lace the target application. This happens without any visual indication in the console or the debugger, so an inexperienced developer may very easily miss it altogether.

To further obfuscate the malware, the actors are copying legitimate open-source projects from Github and add the malicious script on them. By default, the Run Script panel is set not to expand, helping minimize the chances of being uncovered.

Source: SentinelLabs

The payloads should be detectable by all AV solutions as indicated by VirusTotal, but it is often the case that macOS developers don’t bother installing any security solution. According to SentinelLabs, it is possible that the actors themselves uploaded the payloads on the VirusTotal database even before these were seen in the wild to check their effectiveness in hiding from various detection engines.

REVIEW OVERVIEW

Latest

How to Watch Golden State Warriors vs. Phoenix Suns: Live Stream, Start Time, TV Channel, Odds, Predictions

Two of the best teams in the NBA will battle it out on Tuesday as the Western Conference heats up with this...

How to Watch New York Knicks vs. Brooklyn Nets: Live Stream, Start Time, TV Channel, Odds, Predictions

Two New York based teams face off in this thrilling NBA derby on Tuesday evening, as it is the New York Knicks...

How to Watch Denver Nuggets vs. Miami Heat: Live Stream, Start Time, TV Channel, Odds, Predictions

Another blockbuster NBA clash awaits us on Monday night as the Miami Heat and the Denver Nuggets collide at the FTX Arena....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari