A set of malicious components has been discovered by Bitdefender, believed to be a part of an advanced toolkit designed to compromise macOS systems. At present, there is scarce information available about them. Researchers conducted their analysis by studying four samples that were shared on VirusTotal by an anonymous victim. The earliest sample can be traced back to April 18, 2023.
Diving into details
Two out of the three malicious programs discovered are Python-based backdoors, collectively known as JokerSpy. These backdoors are designed to target Windows, Linux, and macOS systems.
The first component, shared.dat, performs an operating system check and connects to a remote server to retrieve further instructions.
Among the samples, Bitdefender identified a more powerful backdoor named sh.py that possesses multi-platform capabilities.
The third component is a FAT binary named xcc, written in Swift, which specifically targets macOS Monterey (version 12) and newer.
Why this matters
The first component carries out tasks such as gathering system information, executing commands, downloading and running files on the victim's machine, and self-termination.
The backdoor, sh.py, is capable of gathering system metadata, file enumeration, file deletion, command and file execution, and batch exfiltration of encoded data.
The third component primarily checks for permission before utilizing a potential spyware component (possibly for screen capturing), but it does not contain the spyware component itself.
Based on the above and that multiple files were missing from the victim system, the researchers suspect that the malicious artifacts are part of a more intricate attack.
The bottom line
While a lot about this activity remains unknown, it should be considered to be a potent threat and necessary cyber defense measures should be implemented. Furthermore, with the rising number of malicious activities against macOS users, it is recommended to strengthen their security posture.