JokerSpy macOS Malware

MacOS is reported to be one of the most security Operating Systems. As of the beginning of 2023, there are over 100 million macOS devices worldwide. Due to its popularity, threat actors have begun to target macOS devices recently. 

Based on the recent reports from SentinelOne, Bitdefender and Elastic, a new type of macOS malware is in the wild, exploiting multiple macOS devices in organisations. The number of victims of this malware is yet to be confirmed.

This malware is capable of providing an active adversary deployment, a backdoor and it is a form of open-source reconnaissance. It is a multi-platform exploitable tool and is capable of macOS exploitation.

JokerSpy – Multi-Stage macOS Malware

The Initial phase of compromise of this malware is still being investigated. As per the current reports, the initial level of compromise is discovered to be linked with a trojanized QR generator in a file QRWriter.java that hides inside an open-source QR project.

Once the host OS is detected, the malware decodes an embedded base64 blob which is written and executed inside the temporary directory. This decoded file acts as the communication to the C2 (Command and Control) server at hxxps://git-hub[.]me/view/php.

Base64 blob in the java file Source: SentinelOne
C2 (Command & Control) server Source: SentinelOne

The malware acts depending on the response from the C2 server and also creates a p.dat file and a prefTemp.java executable file that provides the reverse shell for the attacker. In addition to this, the malware also creates two other backdoor files shared.dat and sh.py.

According to the investigations, the following data is sent to the attacker at regular intervals.

  • Current Working Directory
  • Username
  • Hostname
  • Domain Name
  • OS Version
  • Python Version
  • Path to sh.py 

JokerSpy | macOS Spyware stage

On further analysis, a component was discovered to be only for macOS. A file is hidden under the name “xcc” that uses the Launch Services Identifier com.apple.xprotectcheck. This file executes on both Intel and Apple silicon architectures.

This file is capable of collecting the following information which is far more sophisticated for a normal attacker. The analysis shows that the attacker not only wants to infiltrate the system but also wants to study the behavioural pattern of the victim for further exploitation. The data includes,

  • Device Idle Time
  • Active (Frontmost) App
  • Screen Status (Locked or unlocked)
  • Full Disk access of the active app
  • Screen recording permissions of the active app
  • Accessibility permission of the active app
SystemIdleTime() function. Source: SentinelOne

Image: The file uses the IOServiceMatching() which is now IOHIDSystem, for querying about the system idle time from the last mousepad, trackpad, or keyboard use.

“AI-based email security measures Protect your business From Email Threats!” – .

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.