Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems.
“As of now, these samples are still largely undetected and very little information is available about any of them,” Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu said in a preliminary report published on Friday.
The Romanian firm’s analysis is based on an examination of four samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023.
Two of the three malicious programs are said to be generic Python-based backdoors that are designed to target Windows, Linux, and macOS systems. The payloads have been collectively dubbed JokerSpy.
The first constituent is shared.dat, which, once launched, runs an operating system check (0 for Windows, 1 for macOS, and 2 for Linux) and establishes contact with a remote server to fetch additional instructions for execution.
This includes gathering system information, running commands, downloading and executing files on the victim machine, and terminating itself.
On devices running macOS, Base64-encoded content retrieved from the server is written to a file named “/Users/Shared/AppleAccount.tgz” that’s subsequently unpacked and launched as the “/Users/Shared/TempUser/AppleAccountAssistant.app” application.
The same routine, on Linux hosts, validates the operating system distribution by checking the “/etc/os-release” file. It then proceeds to write C code to a temporary file “tmp.c,” which is compiled to a file called “/tmp/.ICE-unix/git” using the cc command on Fedora and gcc on Debian.
Bitdefender said it also found a “more potent backdoor” among the samples, a file labeled “sh.py” that comes with an extensive set of capabilities to gather system metadata, enumerate files, delete files, execute commands and files, and exfiltrate encoded data in batches.
The third component is a FAT binary known as xcc that’s written in Swift and targets macOS Monterey (version 12) and newer. The file houses two Mach-O files for the twin CPU architectures, x86 Intel and ARM M1.
“Its primary purpose is apparently to check permissions before using a potential spyware component (probably to capture the screen) but does not include the spyware component itself,” the researchers said.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
“This leads us to believe that these files are part of a more complex attack and that several files are missing from the system we investigated.”
xcc’s spyware connections stem from a path identified within the file content, “/Users/joker/Downloads/Spy/XProtectCheck/” and the fact that it checks for permissions such as Disk Access, Screen Recording, and Accessibility.
The identity of the threat actors behind the activity is unknown as yet. It’s currently also not clear how initial access is obtained, and if it involves an element of social engineering or spear-phishing.
The disclosure comes a little over two weeks after Russian cybersecurity company Kaspersky disclosed that iOS devices have been targeted as part of a sophisticated and long-running mobile campaign dubbed Operation Triangulation that began in 2019.