MacOS is reported to be one of the most security Operating Systems. As of the beginning of 2023, there are over 100 million macOS devices worldwide. Due to its popularity, threat actors have begun to target macOS devices recently.
Based on the recent reports from SentinelOne, Bitdefender and Elastic, a new type of macOS malware is in the wild, exploiting multiple macOS devices in organisations. The number of victims of this malware is yet to be confirmed.
This malware is capable of providing an active adversary deployment, a backdoor and it is a form of open-source reconnaissance. It is a multi-platform exploitable tool and is capable of macOS exploitation.
JokerSpy – Multi-Stage macOS Malware
The Initial phase of compromise of this malware is still being investigated. As per the current reports, the initial level of compromise is discovered to be linked with a trojanized QR generator in a file QRWriter.java that hides inside an open-source QR project.
Once the host OS is detected, the malware decodes an embedded base64 blob which is written and executed inside the temporary directory. This decoded file acts as the communication to the C2 (Command and Control) server at hxxps://git-hub[.]me/view/php.
The malware acts depending on the response from the C2 server and also creates a p.dat file and a prefTemp.java executable file that provides the reverse shell for the attacker. In addition to this, the malware also creates two other backdoor files shared.dat and sh.py.
According to the investigations, the following data is sent to the attacker at regular intervals.
Current Working Directory
Username
Hostname
Domain Name
OS Version
Python Version
Path to sh.py
JokerSpy | macOS Spyware stage
On further analysis, a component was discovered to be only for macOS. A file is hidden under the name “xcc” that uses the Launch Services Identifier com.apple.xprotectcheck. This file executes on both Intel and Apple silicon architectures.
This file is capable of collecting the following information which is far more sophisticated for a normal attacker. The analysis shows that the attacker not only wants to infiltrate the system but also wants to study the behavioural pattern of the victim for further exploitation. The data includes,
Device Idle Time
Active (Frontmost) App
Screen Status (Locked or unlocked)
Full Disk access of the active app
Screen recording permissions of the active app
Accessibility permission of the active app
Image: The file uses the IOServiceMatching() which is now IOHIDSystem, for querying about the system idle time from the last mousepad, trackpad, or keyboard use.