New High-Tech Toolkit Targetting MacOS Systems Recently Discovered By Researchers
A sophisticated toolkit aimed at Apple macOS systems has been discovered by cybersecurity researchers, who have identified a collection of malicious artifacts associated with it.
As of now, these samples are still largely undetected and very little information is available about any of them
The Romanian company’s report is based on the examination of four samples that were uploaded to VirusTotal by an unidentified victim. The sample was first submitted on April 18, 2023.
Two of the malicious programs found are generic Python-based backdoors meant to attack Windows, Linux, and macOS-based systems. JokerSpy is the aggregate name for these payloads.
Upon execution, the first component, shared.dat, checks the operating system (0 for Windows, 1 for macOS, and 2 for Linux). After that, it starts a connection with a distant server to get more instructions to run.
The toolkit encompasses various functionalities, including the collection of system information, execution of commands, downloading and executing files on the targeted machine, and self-termination.
Our Readers ALSO READApple’s Flaw is Exposing iTunes Users on Microsoft Platform
For macOS devices, the toolkit writes Base64-encoded content obtained from the server to a file named “/Users/Shared/AppleAccount.tgz”. This file is subsequently unpacked and launched as the “/Users/Shared/TempUser/AppleAccountAssistant.app” application.
On Linux systems, a similar process is followed, where the toolkit verifies the operating system distribution by checking the “/etc/os-release” file. It then proceeds to write C code to a temporary file named “tmp.c,” which is compiled using the cc command on Fedora and gcc on Debian. The compiled file is saved as “/tmp/.ICE-unix/git”.
A program called “sh.py” that has a wide range of capabilities, including the ability to acquire system metadata, enumerate files, delete files, execute commands and files, and exfiltrate encoded data in batches, was identified by Bitdefender as a “more potent backdoor” among the samples.
A FAT binary called xcc, built in Swift and intended for macOS Monterey (version 12) and newer, is the third component. The file contains two Mach-O files for the identical x86 Intel and ARM M1 CPU architectures.
Its primary purpose is apparently to check permissions before using a potential spyware component (probably to capture the screen) but does not include the spyware component itself. This leads us to believe that these files are part of a more complex attack and that several files are missing from the system we investigated.
It raises questions about the spyware’s purposes that it is linked to a specific route, “/Users/joker/Downloads/Spy/XProtectCheck/”. Additionally, it looks for rights pertaining to accessibility, screen recording, and disc access.
It is yet uncertain who the threat actors are who are behind this action. It is yet unknown how the first access is gained or whether spear-phishing or social engineering techniques are used.
This announcement comes in the wake of Kaspersky’s previous admission that iOS devices were a target of Operation Triangulation, a sophisticated and widespread mobile campaign that started in 2019.