Information Security Specialists Discovered a Toolkit Designed to Attack MacOS

Bitdefender discovered a set of malicious artifacts that they say are part of a complex cross-platform toolkit, including one that is targeting macOS devices.

Let me remind you that we also wrote that Pirated Software for MacOS Comes with Malware, and also that Vulnerability in iOS and macOS Allowed Eavesdropping on Siri Conversations.

Also the media reported that the 0-day vulnerability in macOS was exploited to attack visitors of Hong Kong news sites.

The analysis of Bitdefender researchers is based on the study of several samples of malware that were uploaded to VirusTotal by an unnamed victim. The earliest example is dated April 18, 2023. It is noted that at the moment these samples are still poorly detected by security solutions and “very little information is available about any of them.”

Two of the detected malware are simple backdoors written in Python and designed to attack Windows, Linux and macOS. These payloads have been collectively referred to as JokerSpy in a Bitdefender report.

The first malware is the shared.dat file, which, after being launched, checks the operating system (0 for Windows, 1 for macOS, and 2 for Linux) and contacts the attackers’ server for additional instructions. Among them may be: collecting information about the system, executing commands, downloading and executing files on the victim’s machine, and shutting down.

On macOS devices, base64 encoded content received from the server is written to the /Users/Shared/AppleAccount.tgz file, which is subsequently unpacked and launched as the /Users/Shared/TempUser/AppleAccountAssistant.app application.

On Linux hosts, the process is almost the same: the malware checks the distribution by accessing the /etc/os-release file, and then writes C code to a temporary tmp.c file, which is compiled into the /tmp/.ICE-unix/git file using cc commands on Fedora and gcc on Debian.

Experts write that among the samples, a “more powerful backdoor” was also found – the sh.py file, which has an extensive set of capabilities for collecting system metadata, searching and deleting files, executing commands and files received from operators, and stealing data.

Another malware is a FAT binary called “xcc” written in Swift and intended for macOS Monterey (version 12) and newer. The file contains two Mach-O files for two x86 Intel and ARM M1 architectures.

Its main purpose is obviously to check permissions before using a potentially spyware component (probably for screen capture), but the spyware component itself is not included. This led us to believe that these files are part of a more complex attack, and that a number of files are missing from the system we are investigating.the researchers write.

Experts believe that xcc is related to some sort of spyware based on the /Users/joker/Downloads/Spy/XProtectCheck/ path that was seen in the contents of the file, and because it checks permissions such as Disk Access, Screen Recording and accessibility.

It is still unclear who exactly is behind the detected malware, since even the vector of the initial infection is unknown. It is assumed that social engineering or spear phishing was most likely used here.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment