Japanese cryptocurrency exchange hit by JokerSpy attack
Recently disclosed malware masquerades as the built-in antivirus in macOS.
Unidentified hackers attacked a Japanese cryptocurrency exchange and installed JokerSpy malware on its macOS computers. About it reported company Elastic Security Labswhich tracks intruders codenamed REF9134.
JokerSpy is a sophisticated toolkit designed to hack macOS machines. It was first described by the company Bitdefender last week . JokerSpy consists of several programs written in Python And Swiftwhich allow collecting data and executing arbitrary commands on infected hosts.
One of the core components of JokerSpy is a self-signed binary called “xcc” that checks for full disk access and screen recording permissions. The file is signed as XProtectCheck, which indicates an attempt to disguise itself as XProtect – built-in antivirus technology in macOS.
“On June 1, a new Python tool was spotted that ran from the same directory as xcc and was used to run an open-source post-operational tool for macOS called Swiftbelt,” Elastic security researchers said.
The attack targeted a major Japanese cryptocurrency service provider specializing in asset swaps to trade Bitcoin, Ethereum and other mainstream cryptocurrencies. The name of the company was not disclosed.
The “xcc” binary is run with Bash through three different applications: IntelliJ IDEA, iTerm (terminal emulator for macOS), and Visual Studio Code.
Another module installed as part of the attack is sh.py, a Python implant that is used as a conduit for delivering other post-exploitation tools such as Swiftbelt.
macOS users should be careful not to download suspicious files or programs from untrusted sources. It is also recommended to use a reliable antivirus and update the system and applications on time. This is the only way to protect your data and cryptocurrency from hackers.