A new e has been identified mysterious macOS malware called JokerSpy. Initially reported by Bitdefender researchers, with independent research also conducted by Elastic Security Labs, the malware is still relatively unknown, in part due to a lack of samples. So far, Bitdefender is working on four samples in total, while Elastic has focused on hacking a Japanese cryptocurrency exchange.
As part of the malware framework, a binary called “xcc” is used which contains Mach-O files for Intel x86 and ARM M1 architectures, theoretically allowing it to run on Intel and Apple Silicon Macs. The file verifies permissions managed by Apple’s Transparency, Consent, and Control system.
After copying the existing TCC database to avoid detection, the xcc executable creates a Python-based backdoor before gathering system information which is then sent to the attacker. Plugins and other payloads may be employed to gain more control over the system. The breach in late May was followed by the installation on June 1 of a new Python tool that runs a post-exploit enumeration tool called Swiftbelt.
With so few cases to start with and the belief that the exchange hacker already had access to the target system, it is not known how the malware could have been introduced to Macs outside of pre-existing access. It is not even known who created the malware in the first place, but targeting a cryptocurrency exchange this could be a very sophisticated attack rather than one that the average user could fall victim to. While Mac threats are relatively rare compared to Windows, the number of instances where macOS becomes the target continues to grow.
Based on the limited evidence available, it seems unlikely that the average Mac user will be faced with JokerSpy right now, unless they are a high-value target. The advice for Mac users is always to keep their computer up to date, as the changes introduced by Apple often correct security vulnerabilities. Users should also be very careful when browsing online, check which websites to trust, not download from random sites, as well as limit the distribution of private information and use available security options whenever possible.