securityaffairs.com
Open in
urlscan Pro
2606:4700:3031::ac43:8cd3
Public Scan
URL:
https://securityaffairs.com/147840/hacking/jokerspy-attack-japanese-cryptocurrency-exchange.html
Submission: On June 27 via api from TR — Scanned from DE
Submission: On June 27 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchform — GET https://securityaffairs.com/
<form role="search" method="get" name="searchform" id="searchform" action="https://securityaffairs.com/">
<div>
<input type="text" value="" name="s" id="s" autocomplete="off" title="Search..." class="blur">
<button type="submit">
<i class="fa fa-search"></i>
</button>
</div>
<div id="autocomplete"></div>
</form>Text Content
WE VALUE YOUR PRIVACY We and our partners store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning. You may click to consent to our and our partners’ processing as described above. Alternatively you may access more detailed information and change your preferences before consenting or to refuse consenting. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. Your preferences will apply to this website only. You can change your preferences at any time by returning to this site or visit our privacy policy. MORE OPTIONSAGREE Ad * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me MUST READ Headlines * Experts found hundreds of devices within federal networks having internet-exposed management interfaces * Schneider Electric and Siemens Energy are two more victims of a MOVEit attack * JOKERSPY used to target a cryptocurrency exchange in Japan * Citizen of Croatia charged with running the Monopoly Market drug marketplace * Energy company Suncor suffered a cyber attack and its company Petro-Canada gas reported problems at its gas stations in Canada * Internet Systems Consortium (ISC) fixed three DoS flaw in BIND Ad * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me JOKERSPY USED TO TARGET A CRYPTOCURRENCY EXCHANGE IN JAPAN June 27, 2023 By Pierluigi Paganini AN UNNAMED JAPANESE CRYPTOCURRENCY EXCHANGE WAS THE VICTIM OF A CYBER ATTACK AIMED AT DEPLOYING AN APPLE MACOS BACKDOOR NAMED JOKERSPY. Elastic Security Labs researchers provided details about a recently discovered intrusion at an unnamed cryptocurrency exchange, aimed at deploying an Apple macOS backdoor named JokerSpy. The researchers tracked the intrusion as REF9134, the threat actors used the sh.py backdoor to deploy the macOS Swiftbelt enumeration tool. Recently Bitdefender dubbed sh.py and xcc JOKERSPY, the former was used to evade detection and install the latter and deploy enumeration tools. 00:00/00:00 Bitdefender researchers recently discovered a set of malicious files with backdoor capabilities that are suspected to be part of a sophisticated toolkit designed to target Apple macOS systems. The investigation is still ongoing, the experts pointed out that the samples are still largely undetected The researchers analyzed a total of four samples that were uploaded to VirusTotal, with the earliest sample that was uploaded by an anonymous actor to the platform on April 18, 2023. The remaining ones have been uploaded by the victim. Two of the three samples uploaded by a victim are generic Python backdoors that target Windows, Linux, and macOS systems. Bitdefender also discovered a powerful backdoor, a file labeled “sh.py,” among the samples they analyzed. The malicious code supports multiple capabilities, such as gathering system data, files listing, deleting files, executing commands, and exfiltrate base64 encoded data in batches. Bitdefender also analyzed another component called FAT binary, which is written in Swift, and targets macOS Monterey (version 12) and newer. The FAT binary contains Mach-O files for 2 architectures (x86 Intel and ARM M1), the experts believe it is used to check permissions before using a potential spyware component (likely to capture the screen) but does not include the spyware component itself. For this reason, experts believe that the discovered files are part of a more sophisticated attack. At this time, several files belonging to the attack chain are yet to be analyzed. “In late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our diagnostic endpoint alerts that detected the execution of a binary (xcc). xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign.” reported Elastic Security Labs. “Following the execution of xcc, we observed the threat actor attempting to bypass TCC permissions by creating their own TCC database and trying to replace the existing one. On June 1st a new Python-based tool was seen executing from the same directory as xcc and was utilized to execute an open-source macOS post-exploitation enumeration tool known as Swiftbelt.” Elastic Security Labs experts reported that xcc is a self-signed binary written in Swift. The tool allows attackers to determine current system permissions. The sample analyzed by the experts is signed as XProtectCheck, in an attempt to trick victims into believing that it was the macOS built-in AV XProtect. The researchers observed xcc checking FullDiskAccess and ScreenRecording permissions, it was also used to determine if the screen is currently locked and if the current process is a trusted accessibility client. The experts believe that the initial access for this attack was a backdoored plugin or 3rd party dependency. Bitdefender speculate the malware was distributed using a malware-laced macOS QR code reader with a malicious dependency. The analysis of the sh.py Python backdoor published by Elastic revealed it was used to deploy and execute other post-exploitation tools like Swiftbelt. Below is the list of commands supported by the backdoor: CommandDescriptionskStop the backdoor’s executionlList the files of the path provided as parametercExecute and return the output of a shell commandcdChange directory and return the new pathxsExecute a Python code given as a parameter in the current contextxsiDecode a Base64-encoded Python code given as a parameter, compile it, then execute itrRemove a file or directory from the systemeExecute a file from the system with or without parameteruUpload a file to the infected systemdDownload a file from the infected systemgGet the current malware’s configuration stored in the configuration filewOverride the malware’s configuration file with new values Elastic Security used a Diamond Model to describe high-level relationships between the adversaries, capabilities, infrastructure, and victims of intrusions. The researchers shared MITRE ATT&CK Tactics and Yara rules for this threat. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, JokerSpy) SHARE THIS: * Email * Twitter * Print * LinkedIn * Facebook * More * * Tumblr * Pocket * Hackinghacking newsinformation security newsIT Information SecurityJokerSpymalwarePierluigi PaganiniSecurity News -------------------------------------------------------------------------------- SHARE ON * * * * * * * PIERLUIGI PAGANINI Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”. -------------------------------------------------------------------------------- PREVIOUS ARTICLE Citizen of Croatia charged with running the Monopoly Market drug marketplace NEXT ARTICLE Schneider Electric and Siemens Energy are two more victims of a MOVEit attack -------------------------------------------------------------------------------- YOU MIGHT ALSO LIKE EXPERTS FOUND HUNDREDS OF DEVICES WITHIN FEDERAL NETWORKS HAVING INTERNET-EXPOSED MANAGEMENT INTERFACES June 27, 2023 By Pierluigi Paganini SCHNEIDER ELECTRIC AND SIEMENS ENERGY ARE TWO MORE VICTIMS OF A MOVEIT ATTACK June 27, 2023 By Pierluigi Paganini * Ad * DIGGING THE DEEP WEB: EXPLORING THE DARK SIDE OF THE WEB * CENTER FOR CYBER SECURITY AND INTERNATIONAL RELATIONS STUDIES * Ad * SUBSCRIBE SECURITY AFFAIRS NEWSLETTER * SECURITYAFFAIRS AWARDED AS BEST EUROPEAN CYBERSECURITY TECH BLOG AT EUROPEAN CYBERSECURITY BLOGGER AWARDS More Story CITIZEN OF CROATIA CHARGED WITH RUNNING THE MONOPOLY MARKET DRUG MARKETPLACE Milomir Desnica, a citizen of Croatia and Serbia, has been charged with running the Monopoly Market drug darknet marketplace. Milomir... Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved. Back to top * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie SettingsAccept All Manage consent Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT Go to mobile version