Hackers Target iOS App Developers With The 'EggShell' Backdoor, Research Found

eggrepo

The easiest way to develop an iOS app is to also use an Apple product. And to many developers, Mac computers are known to be more secure and very capable for the job.

Unfortunately, hackers know this too well, and are making use of this fact to hack and infiltrate their system using a trojanized code library in attempts to install advanced surveillance malware on those developers' Mac computers.

According to a report published by SentinelOne, the malicious code comes in the form of a malicious project called for Xcode.

Xcode is Apple's integrated development environment for macOS, available for developers to be used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS.

The tool is available for free.

The hackers have created a copy of TabBarInteraction, a legitimate open source project that makes it easier for developers to animate iOS tab bars based on user interaction.

The project contains all the files, resources, and information needed to build the functionality. However, hackers have inserted the legitimate code with an obfuscated script.

The script in question is known as the 'Run Script.'

What it does, is executing a command whenever the developer app build is launched. When it executes, the code will connect to a remote server controlled by the hacker, in order to download and install a custom version of EggShell, an open source malware to create a backdoor to the victims' system.

In this case, EggShell will spy on iOS developers on back by spying through their webcam and microphone, and logging every keystroke from the keyboard.

To SentinelOne, the researchers said that they have named the trojanized project, calling it the 'XcodeSpy'.

And this malicious Xcode drops two variants of the EggShell.

The malware has been uploaded to VirusTotal, a website that aggregates malware, with the first one coming on August 5, 2020, and the second one on October 13.

XcodeSpy, EggShell code
The obfuscated malicious script can be found in the Build Phases tab.

So far, the researchers found one instance of this malware in the wild.

“The later sample was also found in the wild in late 2020 on a victim’s Mac in the United States,” SentinelOne researcher Phil Stokes wrote in a blog post.

“For reasons of confidentiality, we are unable to provide further details about the ITW [in the wild] incident. However, the victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities.”

The researchers suggested that the hackers have been "in operation" from "at least between July and October 2020."

They also suggested that their prime targets are "developers in Asia."

It should be noted that detecting script to be run on Xcode isn't difficult. But the XcodeSpy managed to make things more difficult by encoding the script.
Obfuscated malice

This case isn't the first, but the researchers are concerned.

“There are other scenarios with such high-value victims,” SentinelOne’s Stokes wrote. “Attackers could simply be trawling for interesting targets and gathering data for future campaigns, or they could be attempting to gather AppleID credentials for use in other campaigns that use malware with valid Apple Developer code signatures. These suggestions do not exhaust the possibilities, nor are they mutually exclusive.”

Published: 
20/03/2021