Attackers are Trying Awfully Hard to Backdoor iOS Developers’ Macs
upstart writes in with an IRC submission:
Attackers are trying awfully hard to backdoor iOS developers' Macs:
Researchers said they've found a trojanized code library in the wild that attempts to install advanced surveillance malware on the Macs of iOS software developers.
It came in the form of a malicious project the attacker wrote for Xcode, a developer tool that Apple makes freely available to developers writing apps for iOS or another Apple OS. The project was a copy of TabBarInteraction, a legitimate open source project that makes it easier for developers to animate iOS tab bars based on user interaction. An Xcode project is a repository for all the files, resources, and information needed to build an app.
Alongside the legitimate code was an obfuscated script, known as a "Run Script." The script, which got executed whenever the developer build was launched, contacted an attacker-controlled server to download and install a custom version of EggShell, an open source back door that spies on users through their mic, camera, and keyboard.
Researchers with SentinelOne, the security firm that discovered the trojanized project, have named it XcodeSpy. They say they've uncovered two variants of the customized EggShell dropped by the malicious project. Both were uploaded to VirusTotal using the web interface from Japan, the first one on August 5 and the second one on October 13.
"The later sample was also found in the wild in late 2020 on a victim's Mac in the United States," SentinelOne researcher Phil Stokes wrote in a blog post Thursday. "For reasons of confidentiality, we are unable to provide further details about the ITW [in the wild] incident. However, the victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities."
So far, company researchers are aware of only one in-the-wild case, from a US-based organization. Indications from the SentinelOne analysis suggest the campaign was "in operation at least between July and October 2020 and may also have targeted developers in Asia."
Read more of this story at SoylentNews.