JOKERSPY used to target a cryptocurrency exchange in Japan

Pierluigi Paganini June 27, 2023

An unnamed Japanese cryptocurrency exchange was the victim of a cyber attack aimed at deploying an Apple macOS backdoor named JokerSpy.

Elastic Security Labs researchers provided details about a recently discovered intrusion at an unnamed cryptocurrency exchange, aimed at deploying an Apple macOS backdoor named JokerSpy.

The researchers tracked the intrusion as REF9134, the threat actors used the sh.py backdoor to deploy the macOS Swiftbelt enumeration tool. Recently Bitdefender dubbed sh.py and xcc  JOKERSPY, the former was used to evade detection and install the latter and deploy enumeration tools. 

Bitdefender researchers recently discovered a set of malicious files with backdoor capabilities that are suspected to be part of a sophisticated toolkit designed to target Apple macOS systems.

The investigation is still ongoing, the experts pointed out that the samples are still largely undetected

The researchers analyzed a total of four samples that were uploaded to VirusTotal, with the earliest sample that was uploaded by an anonymous actor to the platform on April 18, 2023. The remaining ones have been uploaded by the victim.

Two of the three samples uploaded by a victim are generic Python backdoors that target Windows, Linux, and macOS systems.

Bitdefender also discovered a powerful backdoor, a file labeled “sh.py,” among the samples they analyzed. The malicious code supports multiple capabilities, such as gathering system data, files listing, deleting files, executing commands, and exfiltrate base64 encoded data in batches.

Bitdefender also analyzed another component called FAT binary, which is written in Swift, and targets macOS Monterey (version 12) and newer.

The FAT binary contains Mach-O files for 2 architectures (x86 Intel and ARM M1), the experts believe it is used to check permissions before using a potential spyware component (likely to capture the screen) but does not include the spyware component itself. For this reason, experts believe that the discovered files are part of a more sophisticated attack. At this time, several files belonging to the attack chain are yet to be analyzed.

“In late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our diagnostic endpoint alerts that detected the execution of a binary (xcc). xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign.” reported Elastic Security Labs. “Following the execution of xcc, we observed the threat actor attempting to bypass TCC permissions by creating their own TCC database and trying to replace the existing one. On June 1st a new Python-based tool was seen executing from the same directory as xcc and was utilized to execute an open-source macOS post-exploitation enumeration tool known as Swiftbelt.”

Elastic Security Labs experts reported that xcc is a self-signed binary written in Swift. The tool allows attackers to determine current system permissions. The sample analyzed by the experts is signed as XProtectCheck, in an attempt to trick victims into believing that it was the macOS built-in AV XProtect.

The researchers observed xcc checking FullDiskAccess and ScreenRecording permissions, it was also used to determine if the screen is currently locked and if the current process is a trusted accessibility client.

The experts believe that the initial access for this attack was a backdoored plugin or 3rd party dependency. Bitdefender speculate the malware was distributed using a malware-laced macOS QR code reader with a malicious dependency.

The analysis of the sh.py Python backdoor published by Elastic revealed it was used to deploy and execute other post-exploitation tools like Swiftbelt.

Below is the list of commands supported by the backdoor:

CommandDescription
skStop the backdoor’s execution
lList the files of the path provided as parameter
cExecute and return the output of a shell command
cdChange directory and return the new path
xsExecute a Python code given as a parameter in the current context
xsiDecode a Base64-encoded Python code given as a parameter, compile it, then execute it
rRemove a file or directory from the system
eExecute a file from the system with or without parameter
uUpload a file to the infected system
dDownload a file from the infected system
gGet the current malware’s configuration stored in the configuration file
wOverride the malware’s configuration file with new values

Elastic Security used a Diamond Model to describe high-level relationships between the adversaries, capabilities, infrastructure, and victims of intrusions.

JokerSpy

The researchers shared MITRE ATT&CK Tactics and Yara rules for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, JokerSpy)



you might also like

leave a comment