Pierluigi Paganini
June 27, 2023
Elastic Security Labs researchers provided details about a recently discovered intrusion at an unnamed cryptocurrency exchange, aimed at deploying an Apple macOS backdoor named JokerSpy.
The researchers tracked the intrusion as REF9134, the threat actors used the sh.py backdoor to deploy the macOS Swiftbelt enumeration tool. Recently Bitdefender dubbed sh.py and xcc JOKERSPY, the former was used to evade detection and install the latter and deploy enumeration tools.
Bitdefender researchers recently discovered a set of malicious files with backdoor capabilities that are suspected to be part of a sophisticated toolkit designed to target Apple macOS systems.
The investigation is still ongoing, the experts pointed out that the samples are still largely undetected
The researchers analyzed a total of four samples that were uploaded to VirusTotal, with the earliest sample that was uploaded by an anonymous actor to the platform on April 18, 2023. The remaining ones have been uploaded by the victim.
Two of the three samples uploaded by a victim are generic Python backdoors that target Windows, Linux, and macOS systems.
Bitdefender also discovered a powerful backdoor, a file labeled “sh.py,” among the samples they analyzed. The malicious code supports multiple capabilities, such as gathering system data, files listing, deleting files, executing commands, and exfiltrate base64 encoded data in batches.
Bitdefender also analyzed another component called FAT binary, which is written in Swift, and targets macOS Monterey (version 12) and newer.
The FAT binary contains Mach-O files for 2 architectures (x86 Intel and ARM M1), the experts believe it is used to check permissions before using a potential spyware component (likely to capture the screen) but does not include the spyware component itself. For this reason, experts believe that the discovered files are part of a more sophisticated attack. At this time, several files belonging to the attack chain are yet to be analyzed.
“In late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our diagnostic endpoint alerts that detected the execution of a binary (xcc). xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign.” reported Elastic Security Labs. “Following the execution of xcc, we observed the threat actor attempting to bypass TCC permissions by creating their own TCC database and trying to replace the existing one. On June 1st a new Python-based tool was seen executing from the same directory as xcc and was utilized to execute an open-source macOS post-exploitation enumeration tool known as Swiftbelt.”
Elastic Security Labs experts reported that xcc is a self-signed binary written in Swift. The tool allows attackers to determine current system permissions. The sample analyzed by the experts is signed as XProtectCheck, in an attempt to trick victims into believing that it was the macOS built-in AV XProtect.
The researchers observed xcc checking FullDiskAccess and ScreenRecording permissions, it was also used to determine if the screen is currently locked and if the current process is a trusted accessibility client.
The experts believe that the initial access for this attack was a backdoored plugin or 3rd party dependency. Bitdefender speculate the malware was distributed using a malware-laced macOS QR code reader with a malicious dependency.
The analysis of the sh.py Python backdoor published by Elastic revealed it was used to deploy and execute other post-exploitation tools like Swiftbelt.
Below is the list of commands supported by the backdoor:
| Command | Description |
|---|---|
| sk | Stop the backdoor’s execution |
| l | List the files of the path provided as parameter |
| c | Execute and return the output of a shell command |
| cd | Change directory and return the new path |
| xs | Execute a Python code given as a parameter in the current context |
| xsi | Decode a Base64-encoded Python code given as a parameter, compile it, then execute it |
| r | Remove a file or directory from the system |
| e | Execute a file from the system with or without parameter |
| u | Upload a file to the infected system |
| d | Download a file from the infected system |
| g | Get the current malware’s configuration stored in the configuration file |
| w | Override the malware’s configuration file with new values |
Elastic Security used a Diamond Model to describe high-level relationships between the adversaries, capabilities, infrastructure, and victims of intrusions.
The researchers shared MITRE ATT&CK Tactics and Yara rules for this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, JokerSpy)
