JokerSpy Targets Apple MacOS in New Spy Threat

Bitdefender experts have discovered a set of malicious programs that are part of a complex tool aimed at Apple macOS. According to the company’s researchers, “At the moment, these samples are almost not found, and very little information is available about them.”

Four different samples of malicious software were discovered and analyzed by experts, which were loaded on Virustotal by an unknown victim, with the very first sample being loaded on April 18 of this year. Part of the discovered samples is the usual python-based backdoors designed to attack Windows, Linux and macOS systems, with the malicious loads receiving the general name JokerSpy.

The first component of the evil software has the name “Shared.dat”. After launching, it checks the operating system and sets a connection with the remote server to obtain the correct version of the payload, as well as additional instructions for execution. On macOS devices, the content in Base64 encoding obtained from the server is written to a file named “/Users/Shared/AppleAccount.tgz”, which is then unpacked and launched as an application “/ Users/Shared/TempUser/AppleAccountAssistant.app”.

The second component is a powerful backdoor file with the “Sh.PY” tag. It has an extensive set of capabilities for collecting metadata systems, listing, exporting and deleting files, as well as executing arbitrary commands. The third component is the binary file “XCC.FAT”, written on SWIFT and aimed at macOS Montery (version 12) and newer, containing two Mach-O files for two processor architectures: X86 Intel and ARM M1. Its primary purpose is to check necessary permissions before activating the spy component directly.

“These files are probably part of a more complicated attack. And on the system that we have studied, it seems, there are no several important files to determine the full picture of the attack,” the researchers said. The connection of “XCC” with a spy on the path identified in the contents of the file, “/users/joker/downloads/spy/xprotectcheck/” and the fact that it checks the presence of resolutions such as access to the disc, recording the screen and accessibility.

The attackers’ identity behind this malicious operation is still unknown. It is also unclear how initial access is obtained, whether it includes elements of social engineering or specialized phishing mailing. Since malicious tools are poorly detected by antivirus solutions, macOS users are advised to be vigilant and avoid downloading suspicious applications from unofficial sources.

/Reports, release notes, official announcements.