Crypto Exchange Infected With Novel Mac Malware

mac computer macos

A group of researchers has made a groundbreaking discovery by uncovering previously unknown Mac malware that has infected a cryptocurrency exchange. This malicious software, known as JokerSpy, possesses a comprehensive range of capabilities, enabling it to pilfer private data, as well as download and execute additional harmful files.

JokerSpy, written in the Python programming language, exploits a freely available tool called SwiftBelt, typically utilized by legitimate security professionals for assessing network vulnerabilities. The security company Bitdefender initially brought JokerSpy to the public's attention earlier this month. Analysts from the company indicated that the malware includes components for both Windows and Linux, suggesting that versions for these platforms may also exist.

Following this revelation, Elastic, another security firm, reported that their diagnostic endpoint protection tool had detected a binary file named xcc, which is associated with JokerSpy. Although Elastic did not disclose the exact identity of the victim, they did mention that it was a prominent cryptocurrency exchange based in Japan.

Malware's mode of operation

Once xcc is executed, the unidentified threat actor attempts to circumvent macOS's TCC (Transparency Consent and Control) protections, which mandate explicit user permission for an application to access sensitive resources such as the hard drive, contacts, or screen recording.

By substituting the legitimate TCC database with their own version, the threat actors likely intended to suppress any alerts that would typically arise when JokerSpy is operational. Previous attacks have demonstrated the ability of threat actors to exploit vulnerabilities in TCC protections for bypassing them. These manipulations have been successful in similar instances.

Despite extensive investigation, researchers have yet to determine the precise method of JokerSpy's installation. Elastic researchers strongly believe that the initial access point for this malware was a malicious or compromised plugin or third-party dependency that granted the threat actor unauthorized entry. This hypothesis aligns with findings from Bitdefender, as they connected a hardcoded domain discovered in a version of the sh.py backdoor to a series of tweets regarding an infected macOS QR code reader containing a malicious dependency. Elastic also noted that the observed threat actor already had pre-existing access to the Japanese cryptocurrency exchange.

By Zaib
June 28, 2023
Computer Security
English
June 28, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Mac Malware

At Least 30,000 Mac Users Infected With New Malware Strain

In late February security researchers with Red Canary published their findings on a new strain of malware targeting Mac computers. The new malware is named Silver Sparrow and its purpose is still a bit unclear.... Read more

February 23, 2021
Mac Malware

Xagent Mac Malware

Xagent is the name of a piece of malware that can infect computers running MacOS, among other devices and operating systems. The malware is believed to have links to the threat actor group collectively known as Fancy... Read more

May 24, 2021
Mac Malware

Remove DirtyMoe Malware

The DirtyMoe Malware is a malicious project that has been rapidly picking up its pace over the past couple of months. Currently, there are over 100,000 active infections with the DirtyMoe Malware worldwide, and the... Read more

June 18, 2021
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.