Home SECURITY JokerSpy is a new spyware threat for Apple macOS systems

JokerSpy is a new spyware threat for Apple macOS systems

JokerSpy is a new spyware threat for Apple macOS systems


JokerSpy is a new spyware threat for Apple macOS systems

The researchers uncovered the details of the malicious operation and found several instances of malware at once.

Specialists Bitdefender discovered a set of malware that is part of a sophisticated toolkit that targets systems Apple macOS.

“At the moment, these samples are almost undetectable and very little information is available about them,” the company’s researchers said.

The experts found and analyzed four different malware samples that were uploaded to VirusTotal by an unknown victim. The download of the very first sample is dated April 18 this year.

Some of the samples found are common backdoors based on Pythondesigned to attack systems Windows, linux and macOS. The malware payloads are collectively known as JokerSpy. Let’s take a closer look at the variation of malware for macOS.

The first component of the malware is named “shared.dat”. Once launched, it checks the operating system and communicates with a remote server to obtain the correct version of the payload, as well as additional execution instructions.

On macOS devices, encoded content Base64received from the server is written to a file named “/Users/Shared/AppleAccount.tgz”, which is then unpacked and run as the application “/Users/Shared/TempUser/AppleAccountAssistant.app”.

The second component is a powerful backdoor, a file labeled “sh.py”. It has a rich set of capabilities for gathering system metadata, listing, exfiltrating and deleting files, and executing arbitrary commands.

The third component is the “xcc.fat” binary written in Swift and targeted at macOS Monterey (version 12) and newer. The file contains two Mach-O files for two processor architectures: x86 Intel and ARM M1. The main purpose of the component seems to be simply to check the required permissions before enabling the spy component itself.

“These files are likely part of a more sophisticated attack. And on the system we investigated, several important files appear to be missing to determine the full picture of the attack.”

The association of “xcc” with spyware stems from the path identified in the contents of the file, “/Users/joker/Downloads/Spy/XProtectCheck/” and the fact that it checks for permissions such as disk access, screen recording, and accessibility.

The identity of the attackers behind this malicious operation is still unknown. It is also currently unclear how the initial access was obtained and whether it included elements of social engineering or a specialized phishing mailing.

Since malicious tools are poorly detected by antivirus solutions, macOS users are advised to be vigilant and not download suspicious applications from unofficial sources.


Source link



Please enter your comment!
Please enter your name here