New mysterious macOS malware infiltrates crypto exchange

in macOS

A new and strange macOS malware called "JokerSpy" has been identified, with its first known backdoor creation hitting a crypto exchange.

While Mac threats are relatively rare compared to Windows, the number of instances where macOS is the target has continued to grow. In a new discovery, it seems there's one more backdoor-creating malware to add to the list of potential threats.

Initially reported by researchers by Bitdefender with independent research also carried out by Elastic Security Labs, the malware known as JokerSpy is still relatively unknown, in part due to a lack of samples. So far, BitDefender is working on four samples in total, while Eastic focused on the breach of a "prominent Japanese cryptocurrency exchange."

As part of the malware's construction, it uses a binary called "xcc" that contains Mach-O files for x86 Intel and ARM M1 architectures, theoretically allowing it to work on Intel and Apple Silicon Macs. The file checks for permissions managed by Apple's Transparency, Consent, and Control system.

After copying over the existing TCC database to avoid detection, the xcc executable ran, creating a python-based backdoor before gathering system information that's then sent back to the attacker. It's feasible that plugins and other payloads can be employed to secure more control over the system.

The breach in late May was followed by a new Python tool being installed on June 1, running a post-exploitation enumeration tool called Swiftbelt.

With so few instances to work from, and the belief that the exchange hacker had previous access to the target system, it is unknown how the malware could've been introduced to the target Macs outside of already having some form of access.

It is also unknown who created the malware in the first place, but by targeting a cryptocurrency exchange, it could be a very sophisticated attack rather than one where the average user could fall prey to it.

Prevention is the way

Based on the limited evidence available, it seems unlikely that the average Mac user will find themselves having to deal with JokerSpy at this time, save for high-value targets.

AppleInsider typically recommends Mac users keep up to date with macOS updates, in part due to Apple's regular inclusion of security fixes. Users should also exercise good online hygiene, including being aware of how trustworthy sites and downloads are, limiting the distribution of private information, and using available security options where possible.

Read on AppleInsider


  • Reply 1 of 1
    "Smart Contracts" are code - all it takes is authorising the code in the contract to execute on the computer and the user has bypassed the OS security on behalf of the contract author.

    That's my guess for the attack vector, anyway. Somebody issued a new alt coin and found some suckers.
Sign In or Register to comment.