Experts found components of a complex toolkit employed in macOS attacks

Pierluigi Paganini June 19, 2023

Researchers uncovered a set of malicious files with backdoor capabilities that they believe is part of a toolkit targeting Apple macOS systems.

Bitdefender researchers discovered a set of malicious files with backdoor capabilities that are suspected to be part of a sophisticated toolkit designed to target Apple macOS systems.

The investigation is still ongoing, the experts pointed out that the samples are still largely undetected.

macOS toolkit

The researchers analyzed a total of four samples that were uploaded to VirusTotal, with the earliest sample that was uploaded by an anonymous actor to the platform on April 18, 2023. The remaining ones have been uploaded by the victim.

Two of the three samples uploaded by a victim are generic Python backdoors that target Windows, Linux, and macOS systems.

The first file identified by the experts is “shared.dat”, once executed it generates a unique device identifier UID and uses a routine to check the OS running on the target machine.

The files connect to the C2 server to receive additional commands to execute.

The malware can be instructed to extract systems information, run specific commands

This includes gathering system information, running encoded as base64 commands, downloading and executing routines, and killing itself.

The DownExec routine works differently, based on the victim’s operating system.

“For MacOS devices, the function writes a file to /Users/Shared/AppleAccount.tgz. The content that is written to the archive is also encoded as base64 when received from server. It unpacks the archive to the /Users/Shared folder, then opens the /Users/Shared/TempUser/AppleAccountAssistant.app application.” reads the report published by Bitdefender. “On Linux systems, the malware calls a dist_name function that checks the /etc/os-release to validate whether the victim distro is Debian, Fedora or anything else. The function writes some C code received from the C2 to a temporary file named tmp.c, that is later compiled to a file named /tmp/.ICE-unix/git using the cc command on Fedora and gcc on Debian. After compilation, the file is executed in background with two parameters, also received from C2.”

Bitdefender also discovered a powerful backdoor, a file labeled “sh.py,” among the samples they analyzed. The malicious code supports multiple capabilities, such as gathering system data, files listing, deleting files, executing commands, and exfiltrate base64 encoded data in batches.

The researchers also analyzed another component called FAT binary, which is written in Swift, and targets macOS Monterey (version 12) and newer.

The FAT binary contains Mach-O files for 2 architectures (x86 Intel and ARM M1), the experts believe it is used to check permissions before using a potential spyware component (likely to capture the screen) but does not include the spyware component itself. For this reason, experts believe that the discovered files are part of a more sophisticated attack. At this time, several files belonging to the attack chain are yet to be analyzed.

The C2 is hardcoded in the share.dat file and the first reference to the C2 domain dates back to February 10 2023,

Bitdefender tracked the Python components as JokerSpy.

The report includes indicators of compromise (IoCs) for the analyzed artifacts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)



you might also like

leave a comment