Security News > 2021 > March > New XcodeSpy malware targets iOS devs in supply-chain attack
A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developer's computer.
Threat actors are increasingly creating malicious versions of popular projects hoping that they are included in other developer's applications.
Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack.
As part of the attack, threat actors have cloned the legitimate TabBarInteraction project and added an obfuscated malicious 'Run Script' script to the project, as shown below.
"By the time we discovered the malicious Xcode project, the C2 at cralev[.]me was already offline, so it was not possible to ascertain directly the result of the mdbcmd command. Fortunately there are two samples of the EggShell backdoor on VirusTotal that contain the telltale XcodeSpy string /private/tmp/.tag.," says the report.
To prevent these types of attacks, when developers utilize third-party packages in their own projects, they should always analyze them for build scripts that are executed when the project is compiled.
News URL
Related news
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)
- North Korea targets crypto developers via NPM supply chain attack (source)
- The XCSSET info-stealing malware is back, targeting macOS users and devs (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- GitHub Action hack likely led to another in cascading supply chain attack (source)