A new and strange macOS malware called “JokerSpy” has been identified, with its first known backdoor creation hitting a crypto exchange.
While Mac threats are relatively rare compared to Windows, the number of instances where macOS is the target has continued to grow. In a new discovery, it seems there’s one more backdoor-creating malware to add to the list of potential threats.
Initially reported by researchers by Bitdefender with independent research also carried out by Elastic Security Labs, the malware known as JokerSpy is still relatively unknown, in part due to a lack of samples. So far, BitDefender is working on four samples in total, while Eastic focused on the breach of a “prominent Japanese cryptocurrency exchange.”
As part of the malware’s construction, it uses a binary called “xcc” that contains Mach-O files for x86 Intel and ARM M1 architectures, theoretically allowing it to work on Intel and Apple Silicon Macs. The file checks for permissions managed by Apple’s Transparency, Consent, and Control system.
After copying over the existing TCC database to avoid detection, the xcc executable ran, creating a python-based backdoor before gathering system information that’s then sent back to the attacker. It’s feasible that plugins and other payloads can be employed to secure more control over the system.
The breach in late May was followed by a new Python tool being installed on June 1, running a post-exploitation enumeration tool called Swiftbelt.
With so few instances to work from, and the belief that the exchange hacker had previous access to the target system, it is unknown how the malware could’ve been introduced to the target Macs outside of already having some form of access.
It is also unknown who created the malware in the first place, but by targeting a cryptocurrency exchange, it could be a very sophisticated attack rather than one where the average user could fall prey to it.
Prevention is the way
Based on the limited evidence available, it seems unlikely that the average Mac user will find…