Unknown hackers targeted a Japanese cryptocurrency exchange and installed the JokerSpy malware on its MacOS computers, according to Elastic Security Labs, which monitors codes under the codename Ref9134. The sophisticated hacking tool, which is written in Python and Swift, collects data and executes arbitrary commands on infected hosts. One of its key components is a self-signed binary file called “XCC,” which is designed to check for complete access to the disk and the ability to record the screen. The file is signed as XPROTECHECK, indicating an attempt to disguise the malware as MacOS’s built-in antiviral technology, XPROTECT.
Elastic security researchers observed a new Python tool made in the same catalog as the XCC, which was used to launch an open post-operation instrument for MacOS called Swiftbelt. The attack targeted a major Japanese supplier of cryptocurrency services that specializes in exchanging assets for bitcoin, etherium, and other commonly used cryptocurrencies. The supplier’s name has not been disclosed.
The binary “XCC” file is initiated using Bash via three different applications: Intellij Idea, Iterm (terminal emulator for MacOS), and Visual Studio Code. Another component, Sh.Py, is installed on Python as part of the attack and serves as a channel for the delivery of other post-e-operating instruments like Swiftbelt.
MacOS users must be vigilant and avoid downloading suspicious files or programs from unreliable sources. Using a reliable antivirus and updating their system and applications on time is also recommended to protect their data and cryptocurrency from hackers.