Researchers Discover New Advanced Devices Targeting Apple macOS Systems


June 19, 2023Ravie LakshmananEndpoint Security/Hacking

Apple macOS system

Cybersecurity researchers have uncovered a batch of malicious artifacts they believe are part of sophisticated devices targeting Apple macOS systems.

“Until now, most of these samples remained undetected and very little information was available about any of them,” Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu said in a preliminary report published on Friday.

The Romanian company’s analysis is based on examining four samples uploaded to VirusTotal by an unnamed victim. The earliest sample is from April 18, 2023.

Two of the three malicious programs are said to be generic Python-based backdoors designed to target Windows, Linux, and macOS systems. The payload has been collectively dubbed JokerSpy.

The first constituent is shared.dat, which, once launched, performs operating system checks (0 for Windows, 1 for macOS, and 2 for Linux) and establishes contact with a remote server to fetch additional instructions for execution.

Cyber ​​security

This includes gathering system information, executing commands, downloading and executing files on the victim’s machine, and terminating itself.

On devices running macOS, the Base64 encoded content fetched from the server is written to a file named “/Users/Shared/AppleAccount.tgz” which is then unpacked and launched as the application “/Users/Shared/TempUser/”.

The same routine, on a Linux host, validates the distribution of the operating system by ticking “/etc/os-release“. It then starts writing C code to a temporary file “tmp.c,” which compiles to a file named “/tmp/.ICE-unix/git” using the cc command on Fedora and gcc on Debian.

Bitdefender says it also found a “more robust backdoor” among the samples, a file labeled “” that comes with a suite of capabilities for gathering system metadata, enumerating files, deleting files, executing commands and files, and extracting encoded files. data in batches.

The third component is a FAT binary known as xcc which is written in Swift and targets macOS Monterey (version 12) and later. The file holds two Mach-O files for twin CPU architectures, Intel x86 and ARM M1.

“The main purpose seems to be to check permissions before using a potential spyware component (possibly to capture the screen) but exclude the spyware component itself,” the researchers said.


🔐 Mastering API Security: Understanding Your True Attack Surface

Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!

Join a Session

“This leads us to believe that these files were part of a more complex attack and some files were missing from the systems we investigated.”

the xcc spyware connection originates from the path identified in the contents of the file, “/Users/joker/Downloads/Spy/XProtectCheck/” and the fact that it checks for permissions such as Disk Access, Screen Recording, and Accessibility.

The identity of the threat actor behind the activity is not yet known. It is also unclear at this time how the initial access was obtained, and whether it involved elements of social engineering or spear-phishing.

The disclosure comes just over two weeks after Russian cybersecurity firm Kaspersky revealed that iOS devices had been targeted as part of a long-running advanced mobile campaign dubbed Operation Triangulation that began in 2019.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button