Cyber Security News

JokerSpy – Multi-Stage macOS Malware Attacking Organisation Worldwide

MacOS is reported to be one of the most security Operating Systems. As of the beginning of 2023, there are over 100 million macOS devices worldwide. Due to its popularity, threat actors have begun to target macOS devices recently. 

Based on the recent reports from SentinelOne, Bitdefender and Elastic, a new type of macOS malware is in the wild, exploiting multiple macOS devices in organisations. The number of victims of this malware is yet to be confirmed.

This malware is capable of providing an active adversary deployment, a backdoor and it is a form of open-source reconnaissance. It is a multi-platform exploitable tool and is capable of macOS exploitation.

JokerSpy – Multi-Stage macOS Malware

The Initial phase of compromise of this malware is still being investigated. As per the current reports, the initial level of compromise is discovered to be linked with a trojanized QR generator in a file QRWriter.java that hides inside an open-source QR project.

Once the host OS is detected, the malware decodes an embedded base64 blob which is written and executed inside the temporary directory. This decoded file acts as the communication to the C2 (Command and Control) server at hxxps://git-hub[.]me/view/php.

Base64 blob in the java file Source: SentinelOne
C2 (Command & Control) server Source: SentinelOne

The malware acts depending on the response from the C2 server and also creates a p.dat file and a prefTemp.java executable file that provides the reverse shell for the attacker. In addition to this, the malware also creates two other backdoor files shared.dat and sh.py.

According to the investigations, the following data is sent to the attacker at regular intervals.

  • Current Working Directory
  • Username
  • Hostname
  • Domain Name
  • OS Version
  • Python Version
  • Path to sh.py

JokerSpy | macOS Spyware stage

On further analysis, a component was discovered to be only for macOS. A file is hidden under the name “xcc” that uses the Launch Services Identifier com.apple.xprotectcheck. This file executes on both Intel and Apple silicon architectures.

This file is capable of collecting the following information which is far more sophisticated for a normal attacker. The analysis shows that the attacker not only wants to infiltrate the system but also wants to study the behavioural pattern of the victim for further exploitation. The data includes,

  • Device Idle Time
  • Active (Frontmost) App
  • Screen Status (Locked or unlocked)
  • Full Disk access of the active app
  • Screen recording permissions of the active app
  • Accessibility permission of the active app
SystemIdleTime() function. Source: SentinelOne

Image: The file uses the IOServiceMatching() which is now IOHIDSystem, for querying about the system idle time from the last mousepad, trackpad, or keyboard use.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Eswar

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago