HQ/EMEAFind out how we can help your business
Researchers discovered a set of malicious tools that could be a part of a sophisticated toolkit developed to target and compromise macOS systems. These situations have appeared consistently for the past few months, but these new malicious components have limited information about them.
The researchers discovered the components based on reports after analysing four samples published on VirusTotal by an anonymous victim. Moreover, the researchers analysed the latest sample a few months ago.
The malicious programs could target multiple OSs, which include macOS systems.
According to investigations, two malicious programs are Python-based malware strains. These backdoors are collectively known as JokerSpy.
Threat analysts claimed that the malware developers created the backdoors to target multiple operating systems, including Windows, Linux, and macOS.
The first discovered component is called shared[.]dat. This tool could execute an operating system check and links to a remote server to recover additional commands. However, separate research claimed that it found a more powerful backdoor dubbed sh[.]py with multi-platform compromising ability.
The last discovered component is a FAT binary called xcc, coded in Swift, which mainly targets macOS version 12 and newer.
The first component executes commands such as collecting system information, running bases, downloading, initiating files on the compromised device, and self-termination.
On the other hand, sh[.]py could collect system metadata, execute file deletion, enumeration, command and file execution, and batch exfiltration of encoded information. Lastly, the third component’s primary role is to review for permission before using a potential spyware component that could execute screen-capturing capabilities. However, the researchers noted that the third component does not store the spyware code.
The details mentioned above do not generalise the attack process since multiple files were missing from the victim’s system. Hence, the researchers believe these malicious components are part of a more significant cybercriminal operation.
Organisations should consider these new components a significant threat since many of their activities remain unresolved. Lastly, developers and admins should also address the increasing number of cybercriminal activities against macOS users to negate such attacks.
