Bitdefender researchers and Elastic Security Labs discovered an intrusion targeting a cryptocurrency exchange in Japan. The intrusion involved the use of custom back door and open source macOS tools. Threat actors used various back doors to deploy spyware on victims' systems in order to perform reconnaissance and for command and control.
According to Elastic Security Labs researchers, the threat actor attempted to bypass Transparency, Consent, and Control (TCC) permissions on macOS by creating their own TCC database and replacing the existing one. They also deployed a Python backdoor called
sh.py, which loaded its configuration from a specific file and allowed for various commands and actions on the infected system. In their investigation, Elastic Security Labs researchers reported that the once the attackers gained access to the system with the JokerSpy back door, the attackers executed an instance of SwiftBelt, which is a known open source macOS post-exploitation reconnaissance toolset designed for red teaming.
Jamf Threat Labs has been effectively blocking JokerSpy malware since its initial public disclosure, demonstrating our dedicated focus on Apple platforms. The recent revelation of SwiftBelt usage in the attack also highlights Jamf’s capacity to quickly analyze new tools, create custom blocking rules, and keep pace with the evolution of new threats. Importantly, Jamf Protect has had custom rules to block SwiftBelt for over two years. This proactive approach distinguishes us from multi-platform vendors, who typically lag in addressing new Apple exploitation tools until they’ve been seen in active malware campaigns. This underscores our firm commitment to delivering the most comprehensive and up-to-date macOS security.
Jamf Protect tracks this malware campaign and custom threat prevention rules block its execution as of June 19, 2023.
Additionally, Jamf Protect generically detects and alerts on the creation of counterfeit TCC databases (as seen in this attack) via the behavioral analytic: “TCC Database File Manually Created”. The TCC database keeps track of which applications a user has granted special permissions to such as Full Disk Access or access to their Contacts. Historically, exploits for this security feature have often required an attacker to create their own modified TCC.db file on disk and then convince the operating system to use that TCC.db file instead of the database created by macOS.
IOCs (as published by Bitdefender and Elastic):
Malware is nothing to laugh at — stay protected with Jamf.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.