XcodeSpy malware delivered through compromised Xcode projectsWide range of malicious functionalitiesThreat SummaryAvoiding Mac malware in 2021Remove XcodeSpy malware from Mac
The threat actors behind XcodeSpy malware are using the supply chain attack to infect as many victims as possible. In short, if a developer distributes a program containing the malicious code to end users, these users would get infected, too. The malware itself leverages Apple’s IDE built-in feature that allows running customized shell script on launching an instance of the target app. One instance of an open-source project available on GitHub and infected with the malware is called TabBarInteraction. The obfuscated malicious script reportedly is hidden in Build Phases Tab. Since the Run Script panel needs to be manually expanded by the inspector, the code can be easily overlooked. The malicious script is made to create hidden file called .tag that contains only one command – mdbcmd, that helps to perform a reverse shell attack. This attack type is called so because in such scenario, the target machine is the one who initiates the connection with the attacker.
Wide range of malicious functionalities
Upon execution, EggShell backdoor ensures persistence on the infected computer by dropping a LaunchAgent. The public EggShell repo includes wide range of functionalities, such as retrieving browser’s passwords, Facebook session cookies, download victim’s personal files to criminals’ servers, navigating the operating system folders, taking screenshots, prompt user to type password, upload files, suspend current session, set output volume, put device to sleep mode, adjust screen brightness, run Apple scripts, record microphone, send iMessage, get pasteboard contents and more. It is a common practice for cybercriminals to use sneakily collected data to blackmail victims via email or social media. Typically, they threaten to publish collected information and recorded audio/video, asking the victim to pay up if one wants such recordings deleted. Moreover, collected data may be sold on the dark web forums and distributed to other criminals.
Threat Summary
Avoiding Mac malware in 2021
Not so long time ago people believed that Macs are resistant to malware, however, situation has changed rather quickly. In 2021, we have observed a large number of Mac-targeting viruses, most of them being persistent adware or browser hijackers, although more severe malware variants were created (such as Silver Sparrow). Most of these threats are distributed via bundled software packs. Software bundles are free programs that deliver additional programs alongside them. Their deceptive installers often do not present the extras or do so in unnoticeable manner. Another common Mac spyware and malware distribution vector is deceptive software update ads. These fake ads suggest installing an update for a widely used software such as Java or Adobe Flash. Agreement to install these can result in computer contamination with variety of persistent threats. For this reason, it is best to download programs as well as their updates from legitimate and confirmed sources only. As discussed earlier, XcodeSpy spreads via publicly available Xcode projects and mainly targets Apple developers to perform supply chain attack. For this reason, developers should be careful when accessing shared projects online.
Remove XcodeSpy malware from Mac
You should make XcodeSpy removal your top priority task if you suspect that your system has been compromised. To eliminate Mac threats, we typically recommend INTEGO, a powerful antivirus for OS X systems. You can read its review here. Once you remove XcodeSpy malware from Mac, make sure you get rid of compromised Xcode projects, or at least clean them up if you absolutely need to use them.
Reader Interactions
INTEGO antivirus is one of the leading security products for Mac that includes VirusBarrier X9 and NetBarrier X9 features allowing detection of viruses, ransomware, adware, browser hijackers, Trojans, backdoors and other threats and blocks suspicious network connections. If any detections are found, the software will eliminate them. Learn more about the software’s features in its full review. GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Use the following guidelines to get rid of XcodeSpy malware on Mac. You will need to eliminate suspicious components from several system folders, move unwanted applications to Trash, delete shady profiles and login items created by the potentially unwanted program. Once you complete these steps, follow the instructions how to clean each affected web browser individually. Eliminate components of unwanted program from Mac system folders Move unwanted applications to Trash Remove unwanted startup applications on Mac Delete malicious configuration profiles
Remove XcodeSpy malware from Safari Uninstall suspicious Safari extensions Change Safari Homepage and default search engine Remove push notifications on Safari Some suspicious websites can try to corrupt your Safari by asking to enable push notifications. If you have accidentally agreed, your browser will be flooded with various intrusive advertisements and pop-ups. You can get rid of them by following this quick guide: Reset Safari Remove XcodeSpy malware from Google Chrome Remove suspicious Chrome extensions Change Start Page settings Change default search settings Remove push notifications from Chrome If you want to get rid of the annoying ads and so-called push-notifications viruses, you must identify their components and clean your browser. You can easily remove ads from Chrome by following these steps: Reset Google Chrome browser Remove XcodeSpy malware from Mozilla Firefox Remove unwanted add-ons from Firefox Change Firefox Homepage Alter preferences in Firefox Remove annoying push notifications from Firefox Suspicious sites that ask to enable push notifications gain access to Mozilla’s settings and can deliver intrusive advertisements when browsing the Internet. Therefore, you should remove access to your browser by following these simple steps: Reset Mozilla Firefox Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend. Comment * Name * Email * Website
Δ Read Full Review Read Full Review