Cryptocurrency Exchange Falls Victim to Unprecedented and Devastating Mac Malware Attack
In a recent discovery, researchers have uncovered a new strain of Mac malware that has targeted a cryptocurrency exchange, posing a significant threat to the security of users' funds. This sophisticated malware, named JokerSpy, exhibits a wide range of capabilities, including data theft, downloading and executing threatening files, and potential cross-platform functionality. Written in Python, JokerSpy leverages SwiftBelt, an open-source tool initially intended for legitimate security testing. The initial exposure of JokerSpy came to light through a security report, revealing its existence and raising concerns about its potential availability on Windows and Linux platforms. This development highlights cryptocurrency exchanges' ongoing challenges and the constant need for robust security measures to safeguard against emerging threats.
Table of Contents
Anatomy of the Threat
The JokerSpy malware emerged after a particular endpoint protection tool detected a suspicious binary file called xcc. The victim targeted by the malware was a well-known cryptocurrency exchange in Japan. Once the xcc file emerged, the hackers behind JokerSpy attempted to bypass macOS' security protections, known as TCC, which require explicit user permission for applications to access sensitive data and resources. The threat actors replaced the existing TCC database with their own, likely to prevent alerts from appearing when JokerSpy was active. In previous attacks, hackers exploited vulnerabilities in the TCC protections to bypass them, and researchers have demonstrated similar attacks.
The main engine of the JokerSpy malware has multiple backdoor functionalities that allow unauthorized actions and provide control over the compromised system. These functionalities include stopping the execution of the backdoor (sk), listing files in a specified path (l), executing shell commands and returning output (c), changing the current directory and providing the new path (cd), executing Python code within the current context using a provided parameter (xs), decoding and executing Base64-encoded Python code (xsi), removing files or directories from the system (r), executing files from the system with or without parameters (e), uploading files to the infected system (u), downloading files from the infected system (d), retrieving the current configuration of the malware from the configuration file (g), and overriding the malware's configuration file with new values (w).
These commands allow the JokerSpy malware to perform various unauthorized actions and exert control over the compromised system.
As reported, once a system is compromised and infected with a malware like JokerSpy, the attacker gains significant control over the system. With a backdoor, however, attackers can even install additional components discreetly and potentially execute further exploits, observe users' actions, collect login credentials or cryptocurrency wallets, and carry out other harmful activities.
Infection Vector Currently Unknown
Researchers are still uncertain about the precise method of JokerSpy's installation. Some strongly believe that the initial access point for this malware involved an unsafe or compromised plugin or third-party dependency that provided the threat actor with unauthorized access. This theory aligns with observations made by Bitdefender researchers, who found a hardcoded domain in a version of the sh.py backdoor linking to tweets discussing an infected macOS QR code reader with an unsafe dependency. It also was noted that the observed threat actor already had pre-existing access to the Japanese cryptocurrency exchange.
To identify potential targeting by JokerSpy, individuals can look for specific indicators. These include cryptographic hashes of different samples of xcc and sh.py and contact with domains, such as git-hub[.]me and app.influmarket[.]org. While JokerSpy initially went unnoticed by most security engines, a broader range of engines can now detect it. While there is no confirmation of the existence of Windows or Linux versions of JokerSpy, it is essential to be aware that this possibility exists.
Cryptocurrency Exchange Falls Victim to Unprecedented and Devastating Mac Malware Attack Screenshots
