Japanese Cryptocurrency Exchange Falls Victim of JokerSpy macOS Backdoor Attack
An unknown cryptocurrency exchange located in Japan was the target of a new attack earlier this month to spread an Apple macOS backdoor called JokerSpy.
Elastic Security Labs, which monitors intrusions under that name Ref9134, said the attack led to the installation of Swiftbelt, a Swift-based enumeration tool inspired by the open-source utility named Seatbelt.
JokerSky was first documented by Bitdefender last week, describing it as a powerful tool designed to penetrate macOS machines.
Very little is known about the threat actor behind the attack other than the fact that the attack leveraged a suite of programs written in Python and Swift that came with the ability to collect data and execute arbitrary commands on the compromised host.
The main component of the toolkit is a self-signed multi-architecture binary known as xcc which is designed to check FullDiskAccess and ScreenRecording permissions.
The file is signed as XProtectCheck, indicating an attempt to masquerade as XProtectbuilt-in antivirus technology in macOS that uses signature-based detection rules to remove malware from already infected hosts.
In the incidents analyzed by Elastic, xcc builds were followed by threat actors “attempting to bypass TCC permissions by creating their own TCC database and try to replace the existing one.”
“On June 1, a new Python-based tool was seen running from the same directory as xcc and used to execute the open-source macOS post-exploit enumeration tool known as Swiftbelt,” security researchers Colson Wilhoit, Salim Bitam, Seth Goodwin, told Andrew Pease. , and Ricardo Ungureanu.
The attack targeted a major Japan-based cryptocurrency service provider focused on exchanging assets for trading Bitcoin, Ethereum and other common cryptocurrencies. The name of the company was not disclosed.
The xcc binary, for its part, was launched via Bash via three different applications named IntelliJ IDEA, iTerm (a terminal emulator for macOS), and Visual Studio Code, indicating that backdoored versions of software development software were likely used to gain early access.
Another important module installed as part of the attack was sh.py, a Python implant used as a conduit for delivering other post-exploit tools such as Swiftbelt.
“Unlike other enumeration methods, Swiftbelt calls Swift code to avoid creating command-line artifacts,” the researchers said. Notably, the xcc variant is also written using Swift.
