fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New XcodeSpy Malware Targets iOS Devs In Supply-Chain Attack

New XcodeSpy Malware Targets iOS Devs In Supply-Chain Attack

A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developer’s computer.

Xcode is a free application development environment created by Apple that allows developers to create applications that run on macOS, iOS, tvOS, and watchOS.

Like other development environments, it is common for developers to create projects that perform specific functions and share them online so that other developers can add them to their own applications.

Threat actors are increasingly creating malicious versions of popular projects hoping that they are included in other developer’s applications. When those applications are compiled, the malicious component will infect their computer in a supply-chain attack.

Xcode project used in a supply-chain attack

Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack.

As part of the attack, threat actors have cloned the legitimate TabBarInteraction project and added an obfuscated malicious ‘Run Script’ script to the project, as shown below. This malicious version of the project has been named ‘XcodeSpy’ by SentinelOne.

Malicious TabBarInteraction with obfuscated Run Script
Malicious TabBarInteraction with obfuscated Run Script

Also Read: A Look At Practitioner Certificate In Personal Data Protection

When the project is built, Xcode will automatically execute the Run Script to open a remote shell back to the threat actor’s server, cralev.me.

“The script creates a hidden file called .tag in the /tmp directory, which contains a single command: mdbcmd. This in turn is piped via a reverse shell to the attackers C2,” SentinelOne researcher Phil Stokes explains in a new report.

Deobfuscated Run Script command
Deobfuscated Run Script command

By the time SentinelOne learned of this malicious project, the command and control server was no longer available, so it is unclear what actions were performed through the reverse shell.

However, SentinelOne discovered two malware samples uploaded to VirusTotal that contain the same “/private/tmp/.tag” string to indicate that they were part of this attack.

“By the time we discovered the malicious Xcode project, the C2 at cralev[.]me was already offline, so it was not possible to ascertain directly the result of the mdbcmd command. Fortunately, however, there are two samples of the EggShell backdoor on VirusTotal that contain the telltale XcodeSpy string /private/tmp/.tag.,” says the report.

The EggShell backdoor allows threat actors to upload files, download files, execute commands, and snoop on a victim’s microphone, camera, and keyboard activity.

At this time, SentinelOne is only aware of one in-the-wild victim of this attack, and it is not clear how the malicious Xcode project was being distributed.

“We don’t have any data on distribution and that’s something we’d very much like to hear more about from the wider community. Part of our motivation for publishing this now is to raise awareness and see if more of the missing details come to light from the exposure,” Stokes told BleepingComputer.

Dev projects also targeted Windows

Malicious development projects have also been used recently to target Windows developers.

In January, Google disclosed that the North Korean Lazarus hacking group was conducting social engineering attacks against security researchers.

To perform their attacks, the threat actors created online ‘security researcher’ personas used to contact security researchers for collaboration on vulnerability and exploit development.

As part of this collaboration, the attackers sent malicious Visual Studio Projects that would install custom backdoors on the researcher’s computers when built.

Also Read: The DNC Singapore: Looking At 2 Sides Better

To prevent these types of attacks, when developers utilize third-party packages in their own projects, they should always analyze them for build scripts that are executed when the project is compiled.

If anything at all looks suspicious, developers should not use the package.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us