Japanese Cryptocurrency Exchange Falls Victim of JokerSpy macOS Backdoor Attack


June 26, 2023Ravie LakshmananCryptocurrency / Endpoint Security

Cryptocurrency Exchange

An unknown cryptocurrency exchange located in Japan was the target of a new attack earlier this month to spread an Apple macOS backdoor called JokerSpy.

Elastic Security Labs, which monitors intrusions under that name Ref9134, said the attack led to the installation of Swiftbelt, a Swift-based enumeration tool inspired by the open-source utility named Seatbelt.

JokerSky was first documented by Bitdefender last week, describing it as a powerful tool designed to penetrate macOS machines.

Cyber ​​security

Very little is known about the threat actor behind the attack other than the fact that the attack leveraged a suite of programs written in Python and Swift that came with the ability to collect data and execute arbitrary commands on the compromised host.

The main component of the toolkit is a self-signed multi-architecture binary known as xcc which is designed to check FullDiskAccess and ScreenRecording permissions.

The file is signed as XProtectCheck, indicating an attempt to masquerade as XProtectbuilt-in antivirus technology in macOS that uses signature-based detection rules to remove malware from already infected hosts.

In the incidents analyzed by Elastic, xcc builds were followed by threat actors “attempting to bypass TCC permissions by creating their own TCC database and try to replace the existing one.”

“On June 1, a new Python-based tool was seen running from the same directory as xcc and used to execute the open-source macOS post-exploit enumeration tool known as Swiftbelt,” security researchers Colson Wilhoit, Salim Bitam, Seth Goodwin, told Andrew Pease. , and Ricardo Ungureanu.

The attack targeted a major Japan-based cryptocurrency service provider focused on exchanging assets for trading Bitcoin, Ethereum and other common cryptocurrencies. The name of the company was not disclosed.

Cyber ​​security

The xcc binary, for its part, was launched via Bash via three different applications named IntelliJ IDEA, iTerm (a terminal emulator for macOS), and Visual Studio Code, indicating that backdoored versions of software development software were likely used to gain early access.

Another important module installed as part of the attack was, a Python implant used as a conduit for delivering other post-exploit tools such as Swiftbelt.

“Unlike other enumeration methods, Swiftbelt calls Swift code to avoid creating command-line artifacts,” the researchers said. Notably, the xcc variant is also written using Swift.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button