Bitdefender discovered a set of malicious artifacts that they say are part of a complex cross-platform toolkit, including one that is targeting macOS devices.
우리도 그렇게 썼다는 것을 상기시켜 드리겠습니다. Pirated Software for MacOS Comes with Malware, 그리고 그것도 Vulnerability in iOS and macOS Allowed Eavesdropping on Siri Conversations.
Also the media reported that the 0-day vulnerability in macOS was exploited to attack visitors of Hong Kong news sites.
The analysis of Bitdefender researchers is based on the study of several samples of malware that were uploaded to VirusTotal by an unnamed victim. The earliest example is dated April 18, 2023. It is noted that at the moment these samples are still poorly detected by security solutions and “very little information is available about any of them.”
Two of the detected malware are simple backdoors written in Python and designed to attack Windows, Linux and macOS. These payloads have been collectively referred to as JokerSpy in a Bitdefender report.
The first malware is the shared.dat 파일, which, after being launched, checks the operating system (0 윈도우용, 1 for macOS, 그리고 2 for Linux) and contacts the attackers’ server for additional instructions. Among them may be: collecting information about the system, executing commands, downloading and executing files on the victim’s machine, and shutting down.
On macOS devices, base64 encoded content received from the server is written to the /Users/Shared/AppleAccount.tgz file, which is subsequently unpacked and launched as the /Users/Shared/TempUser/AppleAccountAssistant.app application.
On Linux hosts, the process is almost the same: the malware checks the distribution by accessing the /etc/os-release file, and then writes C code to a temporary tmp.c file, which is compiled into the /tmp/.ICE-unix/git file using cc commands on Fedora and gcc on Debian.
Experts write that among the samples, a “more powerful backdoor” was also found – 그만큼 sh.py 파일, which has an extensive set of capabilities for collecting system metadata, searching and deleting files, executing commands and files received from operators, and stealing data.
Another malware is a FAT binary called “xcc” written in Swift and intended for macOS Monterey (버전 12) and newer. The file contains two Mach-O files for two x86 Intel and ARM M1 architectures.
Experts believe that xcc is related to some sort of spyware based on the /Users/joker/Downloads/Spy/XProtectCheck/ path that was seen in the contents of the file, and because it checks permissions such as Disk Access, Screen Recording and accessibility.
It is still unclear who exactly is behind the detected malware, since even the vector of the initial infection is unknown. It is assumed that social engineering or spear phishing was most likely used here.