A Japanese crypto exchange platform is put in serious trouble as the platform is identified as having been infected by unidentified macOS malware—allegedly capable of a wide range of functionality, including downloading and executing malicious executable files and stealing sensitive data.
Written using the Python programming language, the malware now identified as JokerSpy works with SwiftBelt—an open-source program legitimately used by security professionals for the assessment of network vulnerabilities.
Coming from total obscurity, notions about JokerSpy only came to light earlier this month, following the discovery by the researchers at BitDefender who subsequently unearthed elements meant for the Windows and Linux platforms, indicating the malware’s multi-platform nature.
- How to check if someone else is using your Facebook account
- LIST: Social media and online platforms that track users the most
Security firm Elastic corroborated the finding by unveiling a notable component of the JokerSpy malware called “xcc” and linking it to a “prominent Japanese cryptocurrency exchange” platform.
Upon execution, the unidentified threat actor can circumvent the system’s TCC protections, giving the hacker illicit access to the device’s hard drive and the stored information, including the ability to take screenshots on a whim.
The modification of the TCC through the replacement of its database is a crucial aspect of the scheme in preventing the system from getting alerted as JokerSpy runs its course.
With the TCC taken over, the xcc possesses the power to oversee TCC permissions as well as what apps are being used by the user. From there, JokerSpy’s main engine—the sh.py program—is installed, which enables a list of backdoor capabilities.
It is not entirely clear at this point how JokerSpy gets installed. But Elastic believes that the malware gets into a system via a “backdoored plugin” which seems to line up with BitDefender’s identification of a malicious MacOS QR code reader said to be associated with JokerSpy.
Elastic also trusts that the threat actor behind the malware already had “existing access” to the aforementioned Japanese crypto exchange platform.
Source: Arstechnica