Rewterz Threat Alert – JokerSpy Backdoors and Spyware Target Apple macOS Systems – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have recently uncovered a sophisticated toolkit specifically designed to target Apple macOS systems, revealing a concerning threat to Mac users’ security. The toolkit, which has been largely undetected so far, consists of malicious artifacts that have been analyzed by experts.

The analysis is based on four samples that were uploaded to VirusTotal by an unidentified victim. The earliest sample dates back to April 18, 2023, indicating that this threat has been active for several months without significant detection.

Among the malicious programs identified, two Python-based backdoors have been dubbed JokerSpy. These backdoors are capable of targeting not only macOS but also Windows and Linux systems, making the threat more versatile and dangerous. The backdoors share a common component called shared.dat, which performs an operating system check upon execution. Based on the check result (0 for Windows, 1 for macOS, and 2 for Linux), shared.dat establishes contact with a remote server to retrieve additional instructions for execution.

On macOS devices, the backdoor writes Base64-encoded content to a file named “/Users/Shared/AppleAccount.tgz,” which is then unpacked and launched as the “/Users/Shared/TempUser/AppleAccountAssistant.app” application. This allows the threat actors to gather system information, execute commands, download and run files on the victim’s machine, and terminate itself to avoid detection.

Linux systems, on the other hand, undergo a different routine. The backdoor validates the operating system distribution by checking the “/etc/os-release” file. It then proceeds to write C code to a temporary file called “tmp.c,” which is compiled to a file named “/tmp/.ICE-unix/git” using the cc command on Fedora and gcc on Debian.

Additionally, Bitdefender discovered a more potent backdoor named “sh.py” among the analyzed samples. This backdoor possesses an extensive set of capabilities, including system metadata gathering, file enumeration, file deletion, command and file execution, and encoded data exfiltration in batches. Its versatility and wide range of functionalities make it a particularly dangerous component of the toolkit.

The researchers also identified a third component called xcc, which is a FAT binary written in Swift. This component specifically targets macOS Monterey (version 12) and newer. xcc is responsible for checking permissions before using potential spyware components, although the spyware component itself was not found in the analyzed samples. This suggests that the toolkit may be part of a more complex attack, with additional files missing from the investigated system.

As of now, the identity of the threat actors behind this toolkit remains unknown, as does the method of initial access. It is unclear whether the attackers rely on social engineering techniques or spear-phishing to gain initial entry into target systems.

This discovery serves as a significant reminder that macOS systems are not immune to sophisticated cyberattacks. Mac users should remain vigilant and ensure they have robust security measures in place to protect their devices and data. The continuous evolution of threats targeting Apple platforms highlights the importance of regular software updates, strong security software, and cautious online behavior to mitigate the risk of falling victim to such attacks.

Impact

• Unauthorized access
• Information theft
• Exposure of sensitive data

Indicators of Compromise

MD5

• 107cd864a8ec41d25276e2bbeb2ceb70
• 49a90ab3246d45667a5ebc754cce8b8b
• 7c7cd27b91a6f5bf3271f47b4dc32d54
• 8251b13b7516ca408630c8bdf74e45ca
• 438b9ae579ed162827efc347ef3b96ce
• 673df3e2d19157c1db4fc21a4c427ddf

SHA-256

• 5fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e9642272
• 39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4
• aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1
• d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8
• 951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c
• 6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c

SHA-1

• 937a9811b3e5482eb8f96832454723d59229f945
• c7d6ede0f6ac9f060ae53bb1db40a4fbe96f9ceb
• bd8626420ecfd1ab5f4576d83be35edecd8fa70e
• 370a0bb4177eeebb2a75651a8addb0477b7d610b
• 1ed2c5ee95ab77f8e1c1f5e2bd246589526c6362
• 76b790eb3bed4a625250b961a5dda86ca5cd3a11

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Change your passwords: If you suspect that your passwords may have been compromised, it is important to change them immediately. Use strong, unique passwords for each account and enable two-factor authentication wherever possible.
• Disable any suspicious processes: Use the Windows Task Manager to check for any suspicious processes running on your system and disable them. Look for any processes that are using a lot of CPU or memory resources or that you don’t recognize.
• Stay vigilant: Keep an eye out for any suspicious activity on your system and avoid downloading or opening any suspicious files or links.