Cybersecurity researchers have discovered a series of malicious artifacts that are allegedly part of a sophisticated toolkit targeting Apple macOS systems.
“At the moment, these samples are still undetected and very little information is available about them,” Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu said in a preliminary report released on Friday. said in
The Romanian company’s analysis is based on a study of four samples uploaded to VirusTotal by anonymous victims. The oldest sample dates to his April 18, 2023.
Two of the three malicious programs are said to be generic Python-based backdoors designed to target Windows, Linux and macOS systems.Payloads are dubbed together joker spy.
The first component is shared.dat, which when started performs operating system checks (0 for Windows, 1 for macOS, 2 for Linux), establishes a connection with a remote server, and adds Get the execution instruction of
This includes gathering system information, executing commands, downloading and executing files on the victim machine, and terminating the machine itself.
On devices running macOS, the Base64-encoded content retrieved from the server is written to a file named “/Users/Shared/AppleAccount.tgz”, which is then decompressed to “/Users/Shared/AppleAccount.tgz”. TempUser/AppleAccountAssistant.app” application.
The same routine on a Linux host verifies the operating system distribution by checking the “/etc/os-release” file. Then write the C code to a temporary file “tmp.c”. This file is compiled using the cc command on Fedora and the gcc command on Debian into a file called “/tmp/.ICE-unix/git”.
Bitdefender said it also found a “more powerful backdoor” among the samples. This is a file labeled “sh.py” with an extensive set of functions to collect system metadata, enumerate files, delete files, execute commands and files, exfiltrate encoded files It is said that data in batches.
The third component is a FAT binary known as xcc, written in Swift and targeting macOS Monterey (version 12) and later. This file contains his two his Mach-O files for twin CPU architectures, x86 Intel and ARM M1.
The researchers said, “Its main purpose appears to be to check permissions (perhaps to capture the screen) before using a potential spyware component, but it does not contain the spyware component itself.” said.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“This suggests that these files are part of a more complex attack and some files are missing from the systems we investigated.”
xcc’s spyware connection is based on the path “/Users/joker/Downloads/Spy/XProtectCheck/” identified in the file content and the fact that it checks permissions such as disk access, screen recording, accessibility .
The identity of the threat actor behind this activity is still unknown. It is also unclear at this time how the initial access is obtained and whether it involves elements of social engineering or spear phishing.
The disclosure comes just over two weeks after Russian cybersecurity firm Kaspersky revealed that iOS devices were being targeted as part of a sophisticated, long-running mobile campaign called Operation Triangulation that began in 2019. was done in
