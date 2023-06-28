A new e has been identified mysterious macOS malware called JokerSpy. Initially reported by Bitdefender researchers, with independent research also conducted by Elastic Security Labs, the malware is still relatively unknown, in part due to a lack of samples. So far, Bitdefender is working on four samples in total, while Elastic has focused on hacking a Japanese cryptocurrency exchange.

As part of the malware framework, a binary called “xcc” is used which contains Mach-O files for Intel x86 and ARM M1 architectures, theoretically allowing it to run on Intel and Apple Silicon Macs. The file verifies permissions managed by Apple’s Transparency, Consent, and Control system.

After copying the existing TCC database to avoid detection, the xcc executable creates a Python-based backdoor before gathering system information which is then sent to the attacker. Plugins and other payloads may be employed to gain more control over the system. The breach in late May was followed by the installation on June 1 of a new Python tool that runs a post-exploit enumeration tool called Swiftbelt.