Initial research exposing JOKERSPY

Key takeaways,

This is an initial notification of an active intrusion with additional details to follow
REF9134 leverages custom and open source tools for reconnaissance and command and control
Targets of this activity include a cryptocurrency exchange in Japan
,

To identify other binaries signed with the same identifier, we converted XProtectCheck-55554944f74096a836b73310bd55d97d1dff5cd4 to hexadecimal and searched VirusTotal to identify 3 additional samples (content:{5850726f74656374436865636b2d35353535343934346637343039366138333662373333313062643535643937643164666635636434}).

Each contained the same core functionality with structural differences. These discrepancies may indicate that these variants of xcc were developed to bypass endpoint capabilities that interfered with execution.

Shortly after the creation of xcc, researchers observed the threat actor copying /Users/Shared/tcc.db over the existing TCC database, /Library/Application Support/com.apple.TCC/TCC.db. This may enable the threat to avoid TCC prompts visible to system users while simultaneously abusing a directory with broad file write permissions.

Upon successfully executing in our Detonate environment, the following results were displayed:

Once the custom TCC database was placed in the expected location, the threat actor executed the xcc binary.

Initial access,

The xcc binary was executed via bash by three separate processes

/Applications/IntelliJ IDEA.app/Contents/MacOS/idea
/Applications/iTerm.app/Contents/MacOS/iTerm2
/Applications/Visual Studio Code.app/Contents/MacOS/Electron.

While we are still investigating and continuing to gather information, we strongly believe that the initial access for this malware was a malicious or backdoored plugin or 3rd party dependency that provided the threat actor access. This aligns with the connection that was made by the researchers at Bitdefender who correlated the hardcoded domain found in a version of the sh.py backdoor to a Tweet about an infected macOS QR code reader which was found to have a malicious dependency.

As part of its periodic beaconing, the malware gathers and transmits various system information. The information sent includes:

Hostname
Username
Domain name
Current directory
The absolute path of the executable binary
OS version
Is 64-bit OS
Is 64-bit process
Python version

Below is a table outlining the various commands that can be handled by the backdoor:

Command
Description

sk
Stop the backdoor’s execution

l
List the files of the path provided as parameter

c
Execute and return the output of a shell command

cd
Change directory and return the new path

xs
Execute a Python code given as a parameter in the current context

xsi
Decode a Base64-encoded Python code given as a parameter, compile it, then execute it

r
Remove a file or directory from the system

e
Execute a file from the system with or without parameter

u
Upload a file to the infected system

d
Download a file from the infected system

g
Get the current malware’s configuration stored in the configuration file

w
Override the malware’s configuration file with new values

Observed tactics and techniques,rule Macos_Hacktool_JokerSpy {
meta:
author = “Elastic Security”
creation_date = “2023-06-19”
last_modified = “2023-06-19”
os = “MacOS”
arch = “x86”
category_type = “Hacktool”
family = “JokerSpy”
threat_name = “Macos.Hacktool.JokerSpy”
reference_sample = “d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8”
license = “Elastic License v2”
strings:
$str1 = “ScreenRecording: NO” fullword
$str2 = “Accessibility: NO” fullword
$str3 = “Accessibility: YES” fullword
$str4 = “eck13XProtectCheck”
$str5 = “Accessibility: NO” fullword
$str6 = “kMDItemDisplayName = *TCC.db” fullword
condition:
5 of them

}rule MacOS_Hacktool_Swiftbelt {
meta:
author = “Elastic Security”
creation_date = “2021-10-12”
last_modified = “2021-10-25”
threat_name = “MacOS.Hacktool.Swiftbelt”
reference_sample = “452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1”
os = “macos”
arch_context = “x86”
license = “Elastic License v2”

strings:
$dbg1 = “SwiftBelt/Sources/SwiftBelt”
$dbg2 = “[-] Firefox places.sqlite database not found for user”
$dbg3 = “[-] No security products found”
$dbg4 = “SSH/AWS/gcloud Credentials Search:”
$dbg5 = “[-] Could not open the Slack Cookies database”
$sec1 = “[+] Malwarebytes A/V found on this host”
$sec2 = “[+] Cisco AMP for endpoints found”
$sec3 = “[+] SentinelOne agent running”
$sec4 = “[+] Crowdstrike Falcon agent found”
$sec5 = “[+] FireEye HX agent installed”
$sec6 = “[+] Little snitch firewall found”
$sec7 = “[+] ESET A/V installed”
$sec8 = “[+] Carbon Black OSX Sensor installed”
$sec9 = “/Library/Little Snitch”
$sec10 = “/Library/FireEye/xagt”
$sec11 = “/Library/CS/falcond”
$sec12 = “/Library/Logs/PaloAltoNetworks/GlobalProtect”
$sec13 = “/Library/Application Support/Malwarebytes”
$sec14 = “/usr/local/bin/osqueryi”
$sec15 = “/Library/Sophos Anti-Virus”
$sec16 = “/Library/Objective-See/Lulu”
$sec17 = “com.eset.remoteadministrator.agent”
$sec18 = “/Applications/CarbonBlack/CbOsxSensorService”
$sec19 = “/Applications/BlockBlock Helper.app”
$sec20 = “/Applications/KextViewr.app”
condition:
6 of them