Cybersecurity researchers have recently uncovered a sophisticated toolkit specifically designed to target Apple macOS systems, revealing a concerning threat to Mac users’ security. The toolkit, which has been largely undetected so far, consists of malicious artifacts that have been analyzed by experts.
The analysis is based on four samples that were uploaded to VirusTotal by an unidentified victim. The earliest sample dates back to April 18, 2023, indicating that this threat has been active for several months without significant detection.
Among the malicious programs identified, two Python-based backdoors have been dubbed JokerSpy. These backdoors are capable of targeting not only macOS but also Windows and Linux systems, making the threat more versatile and dangerous. The backdoors share a common component called shared.dat, which performs an operating system check upon execution. Based on the check result (0 for Windows, 1 for macOS, and 2 for Linux), shared.dat establishes contact with a remote server to retrieve additional instructions for execution.
On macOS devices, the backdoor writes Base64-encoded content to a file named “/Users/Shared/AppleAccount.tgz,” which is then unpacked and launched as the “/Users/Shared/TempUser/AppleAccountAssistant.app” application. This allows the threat actors to gather system information, execute commands, download and run files on the victim’s machine, and terminate itself to avoid detection.
Linux systems, on the other hand, undergo a different routine. The backdoor validates the operating system distribution by checking the “/etc/os-release” file. It then proceeds to write C code to a temporary file called “tmp.c,” which is compiled to a file named “/tmp/.ICE-unix/git” using the cc command on Fedora and gcc on Debian.
Additionally, Bitdefender discovered a more potent backdoor named “sh.py” among the analyzed samples. This backdoor possesses an extensive set of capabilities, including system metadata gathering, file enumeration, file deletion, command and file execution, and encoded data exfiltration in batches. Its versatility and wide range of functionalities make it a particularly dangerous component of the toolkit.
The researchers also identified a third component called xcc, which is a FAT binary written in Swift. This component specifically targets macOS Monterey (version 12) and newer. xcc is responsible for checking permissions before using potential spyware components, although the spyware component itself was not found in the analyzed samples. This suggests that the toolkit may be part of a more complex attack, with additional files missing from the investigated system.
As of now, the identity of the threat actors behind this toolkit remains unknown, as does the method of initial access. It is unclear whether the attackers rely on social engineering techniques or spear-phishing to gain initial entry into target systems.
This discovery serves as a significant reminder that macOS systems are not immune to sophisticated cyberattacks. Mac users should remain vigilant and ensure they have robust security measures in place to protect their devices and data. The continuous evolution of threats targeting Apple platforms highlights the importance of regular software updates, strong security software, and cautious online behavior to mitigate the risk of falling victim to such attacks.