uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

A Japanese crypto exchange has been targeted JokerSpy macOS backdoor

This month's new attack, which was intended to install the JokerSpy backdoor for Apple macOS, was directed at an unidentified cryptocurrency exchange in Japan.

Swiftbelt, a Swift-based enumeration tool inspired by an open-source utility called SeatBelt, was installed as a result of the intrusion, according to Elastic Security Labs, which is monitoring the intrusion set with the intrusion set name REF9134.

JokerSky was first described as a sophisticated toolkit intended to compromise macOS machines by Bitdefender last week.

There isn't much information available about the threat actor responsible for the operation, other than the fact that the attacks make use of a number of Python and Swift programs that can gather information and run arbitrary commands on compromised hosts.

The toolkit includes a self-signed multi-architecture binary called xcc that is designed to check for FullDiskAccess and ScreenRecording permissions as one of its main components.

The file's XProtectCheck signature indicates that it is an attempt to impersonate XProtect, a built-in antivirus feature in macOS that uses signature-based detection rules to remove malware from infected hosts.

Elastic's analysis of the incident shows that after creating xcc, the threat actor "attempted to circumvent TCC permissions by creating their own TCC database and trying to replace the existing one.". ".

Security researchers Colson Wilhoit, Salim Bitam, Seth Goodwin, Andrew Pease, and Ricardo Ungureanu reported that a new Python-based tool was observed running from the same directory as xcc on June 1 and was used to execute the Swiftbelt open-source macOS post-exploitation enumeration tool.

The attack was directed at a sizable cryptocurrency service provider with operations in Japan that specialized in asset exchange for trading Bitcoin, Ethereum, and other widely used cryptocurrencies. The company's name wasn't made public.

For its part, the xcc binary is launched by Bash through three different programs called IntelliJ IDEA, iTerm (a macOS terminal emulator), and Visual Studio Code, suggesting that backdoored versions of software development programs are probably used to gain initial access.

Shpy, a Python implant that serves as a conduit to deliver other post-exploitation tools like Swiftbelt, is another noteworthy module that was installed as part of the attack.

Swiftbelt uses Swift code to avoid producing command line artifacts, in contrast to other enumeration methods, the researchers noted. Notably, Swift is also used to create xcc variants. ".