Bitdefender Discovers Cross-Platform Malware Toolkit Targeting macOS Devices
Bitdefender researchers have discovered a set of malicious artifacts that are part of a complex cross-platform toolkit, including one that targets macOS devices. The researchers’ analysis is based on the study of several malware samples that were uploaded to VirusTotal by an unnamed victim.
Malware Samples
The earliest example is dated April 18, 2023 and is still poorly detected by security solutions. Two of the detected malware are simple backdoors written in Python and designed to attack Windows, Linux and macOS. These payloads have been collectively referred to as JokerSpy in a Bitdefender report.
The first malware is the shared.dat file, which, after being launched, checks the operating system (0 for Windows, 1 for macOS, and 2 for Linux) and contacts the attackers’ server for additional instructions. These instructions may include collecting information about the system, executing commands, downloading and executing files on the victim’s machine, and shutting down.
On macOS devices, base64 encoded content received from the server is written to the /Users/Shared/AppleAccount.tgz file, which is subsequently unpacked and launched as the /Users/Shared/TempUser/AppleAccountAssistant.app application.
On Linux hosts, the process is almost the same: the malware checks the distribution by accessing the /etc/os-release file, and then writes C code to a temporary tmp.c file, which is compiled into the /tmp/.ICE-unix/git file using cc commands on Fedora and gcc on Debian.
More Powerful Backdoor
Experts have also found a “more powerful backdoor” – the sh.py file, which has an extensive set of capabilities for collecting system metadata, searching and deleting files, executing commands and files received from operators, and stealing data.
Another malware is a FAT binary under titled “xcc”, written in Swift and intended for macOS Monterey (version 12) and newer. The file contains two Mach-O files for two x86 Intel and ARM M1 architectures. Its main purpose is to check permissions before using a potentially spyware component, but it does not include a spyware component.
Experts believe that xcc is related to some sort of spyware based on the /Users/joker/Downloads/Spy/XProtectCheck/ path that was seen in the contents of the file, and because it checks permissions such as Disk Access, Screen Recording and accessibility.
Unknown Attackers
It is still unclear who exactly is behind the detected malware, since even the vector of the initial infection is unknown. It is assumed that social engineering or spear phishing was most likely used here.
Bitdefender researchers have discovered a set of malicious artifacts that are part of a complex cross-platform toolkit, including one that targets macOS devices. The researchers’ analysis is based on the study of several malware samples that were uploaded to VirusTotal by an unnamed victim. The earliest example is dated April 18, 2023 and is still poorly detected by security solutions.
Two of the detected malware are simple backdoors written in Python and designed to attack Windows, Linux and macOS. These payloads have been collectively referred to as JokerSpy in a Bitdefender report.
The first malware is the shared.dat file, which, after being launched, checks the operating system (0 for Windows, 1 for macOS, and 2 for Linux) and contacts the attackers’ server for additional instructions. These instructions may include collecting information about the system, executing commands, downloading and executing files on the victim’s machine, and shutting down.
On macOS devices, base64 encoded content received from the server is written to the /Users/Shared/AppleAccount.tgz file, which is subsequently unpacked and launched as the /Users/Shared/TempUser/AppleAccountAssistant.app application.
On Linux hosts, the process is almost the same: the malware checks the distribution by accessing the /etc/os-release file, and then writes C code to a temporary tmp.c file, which is compiled into the /tmp/.ICE-unix/git file using cc commands on Fedora and gcc on Debian.
Experts have also found a “more powerful backdoor” – the sh.py file, which has an extensive set of capabilities for collecting system metadata, searching and deleting files, executing commands and files received from operators, and stealing data.
Another malware is a FAT binary under titled “xcc”, written in Swift and intended for macOS Monterey (version 12) and newer. The file contains two Mach-O files for two x86 Intel and ARM M1 architectures. Its main purpose is to check permissions before using a potentially spyware component, but it does not include a spyware component.
Experts believe that xcc is related to some sort of spyware based on the /Users/joker/Downloads/Spy/XProtectCheck/ path that was seen in the contents of the file, and because it checks permissions such as Disk Access, Screen Recording and accessibility.
It is still unclear who exactly is behind the detected malware, since even the vector of the initial infection is unknown. It is assumed that social engineering or spear phishing was most likely used here.
Bitdefender researchers have recently discovered a set of malicious artifacts that form a complex cross-platform toolkit, including one that targets macOS devices. The researchers’ analysis is based on the study of several malware samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023 and is still poorly detected by security solutions.
Malware Samples
Two of the detected malware are simple backdoors written in Python and designed to attack Windows, Linux and macOS. These payloads have been collectively referred to as JokerSpy in a Bitdefender report.
The first malware is the shared.dat file, which, after being launched, checks the operating system (0 for Windows, 1 for macOS, and 2 for Linux) and contacts the attackers’ server for additional instructions. These instructions may include collecting information about the system, executing commands, downloading and executing files on the victim’s machine, and shutting down.
On macOS devices, base64 encoded content received from the server is written to the /Users/Shared/AppleAccount.tgz file, which is subsequently unpacked and launched as the /Users/Shared/TempUser/AppleAccountAssistant.app application.
On Linux hosts, the process is almost the same: the malware checks the distribution by accessing the /etc/os-release file, and then writes C code to a temporary tmp.c file, which is compiled into the /tmp/.ICE-unix/git file using cc commands on Fedora and gcc on Debian.
More Powerful Backdoor
Experts have also found a “more powerful backdoor” – the sh.py file, which has an extensive set of capabilities for collecting system metadata, searching and deleting files, executing commands and files received from operators, and stealing data.
Another malware is a FAT binary under titled “xcc”, written in Swift and intended for macOS Monterey (version 12) and newer. The file contains two Mach-O files for two x86 Intel and ARM M1 architectures. Its main purpose is to check permissions before using a potentially spyware component, but it does not include a spyware component.
Experts believe that xcc is related to some sort of spyware based on the /Users/joker/Downloads/Spy/XProtectCheck/ path that was seen in the contents of the file, and because it checks permissions such as Disk Access, Screen Recording and accessibility.
Unknown Attackers
It is still unclear who exactly is behind the detected malware, since even the vector of the initial infection is unknown. It is assumed that social engineering or spear phishing was most likely used here.
Bitdefender researchers have recently discovered a set of malicious artifacts that form a complex cross-platform toolkit, including one that targets macOS devices. The researchers’ analysis is based on the study of several malware samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023 and is still poorly detected by security solutions.
Malware Samples
Two of the detected malware are simple backdoors written in Python and designed to attack Windows, Linux and macOS. These payloads have been collectively referred to as JokerSpy in a Bitdefender report.
The first malware is the shared.dat file, which, after being launched, checks the operating system (0 for Windows, 1 for macOS, and 2 for Linux) and contacts the attackers’ server for additional instructions. These instructions may include collecting information about the system, executing commands, downloading and executing files on the victim’s machine, and shutting down.
On macOS devices, base64 encoded content received from the server is written to the /Users/Shared/AppleAccount.tgz file, which is subsequently unpacked and launched as the /Users/Shared/TempUser/AppleAccountAssistant.app application.
On Linux hosts, the process is almost the same: the malware checks the distribution by accessing the /etc/os-release file, and then writes C code to a temporary tmp.c file, which is compiled into the /tmp/.ICE-unix/git file using cc commands on Fedora and gcc on Debian.
<