New Malicious Toolkit "JokerSpy" Targeting macOS Systems

In a recent discovery, cybersecurity researchers have uncovered a sophisticated toolkit known as "JokerSpy," which poses a significant threat to Apple macOS systems. Bitdefender, the cybersecurity firm that made the discovery, stated: "During routine detection maintenance, our Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit.”

This toolkit comprises three malicious components that exhibit advanced capabilities, including system infiltration, gathering system metadata, deleting files, executing commands and files, and data exfiltration.

The first two components of JokerSpy are generic Python-based backdoors designed to target Windows, Linux, and macOS operating systems. The initial backdoor, named "shared.dat," performs an operating system check upon execution, identifying the victim's platform. It establishes communication with a remote server to receive additional instructions, allowing it to execute various commands, gather system information, and download and execute files on the compromised machine.

Notably, on macOS devices, the backdoor writes Base64-encoded content to a file named "/Users/Shared/AppleAccount.tgz," subsequently unpacking and launching it as the "/Users/Shared/TempUser/AppleAccountAssistant.app" application.

The second backdoor, labeled "sh.py," is a more powerful and versatile component within the JokerSpy toolkit. It boasts cross-platform capabilities and is equipped with a comprehensive range of features, including system metadata gathering, file enumeration, file deletion, command and file execution, and encoded data exfiltration. This advanced backdoor stores its configuration options in the "~/Public/Safari/sar.dat" file, which it encodes using Base64.

Adding complexity to the attack, the researchers identified a third component called "xcc," a FAT binary written in Swift. Specifically targeting macOS Monterey (version 12) and newer versions, xcc checks for permissions related to potential spyware activities, such as capturing the screen.

It does not, however, contain the spyware component itself. Its purpose is to verify permissions managed by Apple's TCC (Transparency, Consent, and Control) framework, including Full Disk Access, Screen Recording, and Accessibility.

The identity of the threat actors behind JokerSpy remains unknown, as does the initial access method. Whether the toolkit involves social engineering techniques or spear-phishing campaigns to infiltrate target systems is still being determined.

The emergence of JokerSpy follows closely on the heels of the disclosure made by Kaspersky (a Russian cybersecurity company) regarding a sophisticated mobile campaign called Operation Triangulation, which has targeted iOS devices since 2019. This targeted attack sequence highlights escalating efforts to compromise Apple's ecosystem.