www.sentinelone.com
Open in
urlscan Pro
104.26.3.18
Public Scan
URL:
https://www.sentinelone.com/blog/jokerspy-unknown-adversary-targeting-organizations-with-multi-stage-macos-malware/
Submission: On July 05 via api from DE — Scanned from DE
Submission: On July 05 via api from DE — Scanned from DE
Form analysis
6 forms found in the DOMGET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg">
</span>
<span class="dark">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg">
</span>
</button>
</fieldset>
</form>
GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>
<form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1618981948">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>
<form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1619010562">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>
<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>
<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>
Text Content
Don’t miss OneCon23! SentinelOne’s annual user conference. Presale available now. Register Now Don’t miss OneCon23! SentinelOne’s annual user conference. Presale available now. Experiencing a Breach? * 1-855-868-3733 * Contact * Cybersecurity Blog en * English * 日本語 * Deutsch * Español * Français * Italiano * Dutch * 한국어 blog * Platform * Platform Overview * Singularity XDR Platform Welcome to Native and Open XDR * XDR Ingestion One Home for All Security Data * How It Works The Singularity XDR Difference * Singularity Marketplace One-Click Integrations to Unlock the Power of XDR * Surfaces * Endpoint Autonomous Prevention, Detection, and Response * Cloud Autonomous Runtime Protection for Workloads * Identity Autonomous Identity & Credential Protection * Platform Packages * Singularity Complete The Standard for Enterprise Cybersecurity * Singularity Control Organization-Wide Protection and Control * Singularity Core Cloud-Native NGAV * Package Comparison Our Platform at a Glance * Platform Products * Singularity Cloud Container, VM, and Server Workload Security * Singularity RemoteOps Orchestrate Forensics at Scale * Singularity Identity Identity Threat Detection and Response * Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming * Singularity Ranger AD Active Directory Attack Surface Reduction * Singularity BinaryVault Automatic File Sample Collection * Singularity Ranger Rogue Asset Discovery * Singularity Hologram Deception Protection * Singularity Mobile Mobile Threat Defense * Why SentinelOne? * Why SentinelOne? * Why SentinelOne? Cybersecurity Built for What’s Next * Our Customers Trusted by the World’s Leading Enterprises * Industry Recognition Tested and Proven by the Experts * About Us The Industry Leader in Autonomous Cybersecurity * Compare SentinelOne * CrowdStrike Cyber Dependent on a Crowd * McAfee Pale Performance, More Maintenance * Microsoft Platform Coverage That Compromises * Trend Micro The Risk of DevOps Disruption * Palo Alto Networks Hard to Deploy, Harder to Manage * Carbon Black Adapt Only as Quickly as Your Block Lists * Symantec Security Limited to Signatures * Verticals * Energy * Federal Government * Finance * Healthcare * Higher Education * K-12 Education * Manufacturing * Retail * Services * Threat Services * Vigilance Respond Pro MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response * WatchTower Pro Threat Hunting Dedicated Hunting & Compromise Assessment * Vigilance Respond MDR Dedicated SOC Expertise & Analysis * WatchTower Threat Hunting Hunting for Emerging Threat Campaigns Services Overview * Support, Deployment, & Health * Technical Account Management Customer Success with Personalized Service * SentinelOne GO Guided Onboarding & Deployment Advisory * SentinelOne University Live and On-Demand Training * Support Services Tiered Support Options for Every Organization * SentinelOne Community Community Login * Partners * Our Network * Singularity Marketplace Extend the Power of S1 Technology * Cyber Risk Partners Enlist Pro Response and Advisory Teams * Technology Alliances Integrated, Enterprise-Scale Solutions * SentinelOne for AWS Hosted in AWS Regions Around the World * Channel Partners Deliver the Right Solutions, Together Program Overview * Resources * Resource Center * Case Studies * Data Sheets * eBooks * Reports * Videos * Webinars * White Papers View All Resources * Blog * Cyber Response * Feature Spotlight * For CISO/CIO * From the Front Lines * Identity * Cloud * macOS * SentinelOne Blog Blog * Tech Resources * SentinelLABS * Ransomware Anthology * Cybersecurity 101 * About * About SentinelOne * About SentinelOne The Industry Leader in Cybersecurity * Investor Relations Financial Information & Events * SentinelLABS Threat Research for the Modern Threat Hunter * Careers The Latest Job Opportunities * Press & News Company Announcements * Cybersecurity Blog The Latest Cybersecurity Threats, News, & More * F1 Racing SentinelOne & Aston Martin F1 Team * FAQ Get Answers to Our Most Frequently Asked Questions * DataSet The Live Data Platform * S Foundation Securing a Safer Future for All * S Ventures Investing in the Next Generation of Security and Data * Brand SentinelOne Brand Guidelines en * English * 日本語 * Deutsch * Español * Français * Italiano * Dutch * 한국어 Get a Demo blog Back * Platform * Platform Overview * Singularity XDR Platform Welcome to Native and Open XDR * XDR Ingestion One Home for All Security Data * How It Works The Singularity XDR Difference * Singularity Marketplace One-Click Integrations to Unlock the Power of XDR * Surfaces * Endpoint Autonomous Prevention, Detection, and Response * Cloud Autonomous Runtime Protection for Workloads * Identity Autonomous Identity & Credential Protection * Platform Packages * Singularity Complete The Standard for Enterprise Cybersecurity * Singularity Control Organization-Wide Protection and Control * Singularity Core Cloud-Native NGAV * Package Comparison Our Platform at a Glance * Platform Products * Singularity Cloud Container, VM, and Server Workload Security * Singularity RemoteOps Orchestrate Forensics at Scale * Singularity Identity Identity Threat Detection and Response * Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming * Singularity Ranger AD Active Directory Attack Surface Reduction * Singularity BinaryVault Automatic File Sample Collection * Singularity Ranger Rogue Asset Discovery * Singularity Hologram Deception Protection * Singularity Mobile Mobile Threat Defense * Why SentinelOne? * Why SentinelOne? * Why SentinelOne? Cybersecurity Built for What’s Next * Our Customers Trusted by the World’s Leading Enterprises * Industry Recognition Tested and Proven by the Experts * About Us The Industry Leader in Autonomous Cybersecurity * Compare SentinelOne * CrowdStrike Cyber Dependent on a Crowd * McAfee Pale Performance, More Maintenance * Microsoft Platform Coverage That Compromises * Trend Micro The Risk of DevOps Disruption * Palo Alto Networks Hard to Deploy, Harder to Manage * Carbon Black Adapt Only as Quickly as Your Block Lists * Symantec Security Limited to Signatures * Verticals * Energy * Federal Government * Finance * Healthcare * Higher Education * K-12 Education * Manufacturing * Retail * Services * Threat Services * Vigilance Respond Pro MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response * WatchTower Pro Threat Hunting Dedicated Hunting & Compromise Assessment * Vigilance Respond MDR Dedicated SOC Expertise & Analysis * WatchTower Threat Hunting Hunting for Emerging Threat Campaigns Services Overview * Support, Deployment, & Health * Technical Account Management Customer Success with Personalized Service * SentinelOne GO Guided Onboarding & Deployment Advisory * SentinelOne University Live and On-Demand Training * Support Services Tiered Support Options for Every Organization * SentinelOne Community Community Login * Partners * Our Network * Singularity Marketplace Extend the Power of S1 Technology * Cyber Risk Partners Enlist Pro Response and Advisory Teams * Technology Alliances Integrated, Enterprise-Scale Solutions * SentinelOne for AWS Hosted in AWS Regions Around the World * Channel Partners Deliver the Right Solutions, Together Program Overview * Resources * Resource Center * Case Studies * Data Sheets * eBooks * Reports * Videos * Webinars * White Papers View All Resources * Blog * Cyber Response * Feature Spotlight * For CISO/CIO * From the Front Lines * Identity * Cloud * macOS * SentinelOne Blog Blog * Tech Resources * SentinelLABS * Ransomware Anthology * Cybersecurity 101 * About * About SentinelOne * About SentinelOne The Industry Leader in Cybersecurity * Investor Relations Financial Information & Events * SentinelLABS Threat Research for the Modern Threat Hunter * Careers The Latest Job Opportunities * Press & News Company Announcements * Cybersecurity Blog The Latest Cybersecurity Threats, News, & More * F1 Racing SentinelOne & Aston Martin F1 Team * FAQ Get Answers to Our Most Frequently Asked Questions * DataSet The Live Data Platform * S Foundation Securing a Safer Future for All * S Ventures Investing in the Next Generation of Security and Data * Brand SentinelOne Brand Guidelines Get a Demo * 1-855-868-3733 * Contact * Cybersecurity Blog Experiencing a Breach? * 1-855-868-3733 * Contact * Cybersecurity Blog JOKERSPY | UNKNOWN ADVERSARY TARGETING ORGANIZATIONS WITH MULTI-STAGE MACOS MALWARE June 28, 2023 by Phil Stokes PDF Recent reports from researchers at BitDefender and Elastic have exposed an active adversary deploying novel spyware, cross-platform backdoors and an open-source reconnaissance tool to compromise organizations with macOS devices in their fleets. Although the number of known victims at this time is small, the nature of the tooling suggests that the threat actors have likely targeted other organizations. In this post, we review the key components and indicators used in the campaign to help raise awareness and aid security teams and threat hunters. QRLOG | SUSPECTED INFECTION VECTOR There is little information about how initial compromise was achieved in the known compromises, but analysis of the known components provide a strong link to a trojanized QR code generator discovered in the wild in February 2023. According to researcher Mauro Eldritch, QRLog is a trojanized QR code generator written in Java that opens a reverse shell on the host device, allowing the attacker privileged access. The malicious code is hidden inside a file QRCodeWriter.java, buried in an otherwise legitimate open source QR code project. Base64 blob is an encoded Java file After determining the host device’s operating system, QRLog decodes an embedded base64 blob and writes it out to a temporary directory and executes it. QRLog changes the path separator to suit Windows or Posix-compatible systems like Linux and macOS The decoded blob is a .java file that reaches out to a C2 at hxxps[:]//www[.]git-hub.me/view.php. This is the same C2 as used in the compromise reported by BitDefender (see below). QRLog uses the same C2 later seen in an ITW JokerSpy intrusion If the QRLog malware receives the right response from the C2, it then writes two further files – p.dat and a Java executable prefTmp.java – to the temp directory and executes the latter, which now opens the reverse shell from the victim to the attacker. The prefTmp.java files opens a reverse shell to the attacker SHARED.DAT & SH.PY | CROSS-PLATFORM PYTHON BACKDOORS In the intrusions seen to date, researchers identified two Python backdoors, shared.dat and sh.py. The former uses a simple rot13 string obfuscation technique. Deobfuscated strings found in shared.dat backdoor The script’s behavior depends on the response from the server, whose address is hardcoded in plain text. In the intrusion seen by BitDefender, the C2 matched that seen in the QRLog malware. shared.dat also uses the same strings found in QRLog to identify packets sent and received from the C2, namely “GITHUB_RES” and “GITHUB_REQ”. C2 in shared.dat is the same as noted in QRLog malware A simple conditional parses the responses. Parsing commands from the C2 in the shared.dat backdoor If the device is identified as a macOS device, the malware downloads and executes the next stage to /Users/Shared/AppleAccount.tgz, which in turn decodes a further stage to /Users/Shared/TempUser/AppleAccountAssistant.app. The sh.py backdoor is also multi-platform and requires a separate configuration file stored at ~/Public/Safari/sar.dat, likely containing the C2 as well as other parameters. The C2 observed by Elastic in an attack on an unnamed Japanese cryptocurrency exchange was app.influmarket[.]org. The backdoor is capable of surveilling the host device and executing commands, exfiltrating data and deleting files. The sh.py script is a cross-platform backdoor Depending on the value received from the configuration file, the backdoor will beacon out to the C2 at regular intervals, the default being 5 seconds. Information sent to the attacker includes: * Current working directory * Username * Hostname * Domain name * OS version * Python version * Path to sh.py According to researchers at Elastic, the sh.py script was seen dropping the open-source macOS red-teaming tool SwiftBelt to the file path /Users/shared/sb and writing out to a file sb.log in the same directory. /bin/sh -c /users/shared/sb > /users/shared/sb.log 2>&1 JOKERSPY | MACOS SPYWARE STAGER In both intrusions seen to date, a further macOS only component was observed. The file, named “xcc”, attempts to hide as an XProtect component, and uses the Launch Services identifier com.apple.xprotectcheck. Identifier=XProtectCheck-55554944f74096a836b73310bd55d97d1dff5cd4 Format=Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=911 flags=0x2(adhoc) hashes=17+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=89706d1258b6f1c165ff8d1d6d13346e02b48e22 CandidateCDHashFull sha256=89706d1258b6f1c165ff8d1d6d13346e02b48e22d1a741ff451d1cb6ba81bab2 Hash choices=sha256 CMSDigest=89706d1258b6f1c165ff8d1d6d13346e02b48e22d1a741ff451d1cb6ba81bab2 CMSDigestType=2 Launch Constraints: None CDHash=89706d1258b6f1c165ff8d1d6d13346e02b48e22 Signature=adhoc Info.plist=not bound TeamIdentifier=not set Sealed Resources=none # designated => cdhash H"89706d1258b6f1c165ff8d1d6d13346e02b48e22" or cdhash H"9860c28299d58e71540c64e56c709aa619cfac27" The binary is ad hoc signed and is built for both Apple silicon and Intel architectures. On execution, it runs through several functions with the purpose of determining: * Device Idle Time * Active (Frontmost) App * Screen status (locked or unlocked) * Full Disk Access of the active app * Screen Recording permissions of the active app * Accessibility (e.g., control other apps) permission of the active app Output to stdout from executing xcc binary Threat hunters should note that these are somewhat noisily printed out to stdout, so will appear in system logs. The inclusion of the SystemIdleTime() function is interesting and not something commonly seen in macOS malware. This may indicate the threat actor intends to establish a pattern of behavior as to when the user is inactive in order to time attacks. The function itself uses Apple’s IOServiceMatching() api and the now deprecated IOHIDSystem class to query for the HIDIdleTime value, a timer which tracks the last time the user interacted with the mouse, trackpad or keyboard, among other things. Calls made by the SystemIdleTime() function At the time of writing, it’s not clear how the xcc binary relates to the other components, other than that they have been observed together in both instances. xcc itself provides functionality for system discovery and it is likely there are further associated spyware and backdoor components that remain to be discovered. Elastic observed xcc being executed by three different processes: * /Applications/IntelliJ IDEA.app/Contents/MacOS/idea * /Applications/iTerm.app/Contents/MacOS/iTerm2 * /Applications/Visual Studio Code.app/Contents/MacOS/Electron The researchers suggest that initial access may have been provided via a malicious plugin or dependency that may have been trojanized in a similar way to QRLog mentioned above. SENTINELONE DETECTS JOKERSPY The SentinelOne agent protects customers from JokerSpy, QRLog and other malicious components identified in these attacks. Security teams not protected by SentinelOne are advised to refer to the list of indicators below for threat hunting and detection. CONCLUSION The JokerSpy intrusions reveal a threat actor with the ability to write functional malware across several different languages – Python, Java, and Swift – and target multiple operating systems platforms. The relative sophistication of the multiple components suggests one or more developers devoting considerable effort to the project, and we can only surmise that further victims are out there. There are still several pieces of the puzzle missing, but the intrusion into a large cryptocurrency exchange indicates a financially-motivated threat actor. SentinelOne continues to track this threat actor and will provide updates to this post as they become available. INDICATORS OF COMPROMISE Identifiers com.apple.xprotectcheck Communications 45[.]76[.]238[.]53 45[.]77].]123].]18 www[.]git-hub.me app.influmarket[.]org Files (SHA1) 1ed2c5ee95ab77f8e1c1f5e2bd246589526c6362 – xcc 1f99081affd7bef83d44e0072eb860d515893698 – SwiftBelt 21ffda8a6a05a007ef92088f99ab54485cfe473d – xcc 2234c9fc3c3d340f0367c49c6599379b96544b5a – QRCodeWriter.java 370a0bb4177eeebb2a75651a8addb0477b7d610b – xcc 76b790eb3bed4a625250b961a5dda86ca5cd3a11 – xcc 937a9811b3e5482eb8f96832454723d59229f945 – shared.dat bd8626420ecfd1ab5f4576d83be35edecd8fa70e – sh.py c304aef96a783a39aedf1af30de5d5f1c33c68ca – QRLog sample.zip c7d6ede0f6ac9f060ae53bb1db40a4fbe96f9ceb – shared.dat Paths $TEMP/p.dat $TEMP/prefTmp.java ~/Public/Safari/sar.dat /Users/shared/sb /Users/shared/sb.log /Users/Shared/AppleAccount.tgz /Users/Shared/TempUser/AppleAccountAssistant.app -------------------------------------------------------------------------------- Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post. READ MORE ABOUT CYBER SECURITY * Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army * Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search Results * Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram * Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool * Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto * From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts READ MORE Get a demo Defeat every attack, at every stage of the threat lifecycle with SentinelOne Book a demo and see the world’s most advanced cybersecurity platform in action. Get Demo SentinelLabs SentinelLabs: Threat Intel & Malware Analysis We are hunters, reversers, exploit developers, & tinkerers shedding light on the vast world of malware, exploits, APTs, & cybercrime across all platforms. VISIT SITE Wizard Spider and Sandworm MITRE Engenuity ATT&CK Evaluation Results SentinelOne leads in the latest Evaluation with 100% prevention. Leading analytic coverage. Leading visibility. Zero detection delays. SEE RESULTS LISTEN TO THIS POST Table of Contents QRLog | Suspected Infection Vector * QRLog | Suspected Infection Vector * Shared.dat & sh.py | Cross-Platform Python Backdoors * JokerSpy | macOS Spyware Stager * SentinelOne Detects JokerSpy * Conclusion * Indicators of Compromise SEARCH Search ... SIGN UP Keep up to date with our weekly digest of articles. * Subscribe By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent your personal data to third parties. Thanks! Keep an eye out for new content! RECENT POSTS * BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection July 5, 2023 * Neo_Net | The Kingpin of Spanish eCrime July 3, 2023 * The Good, the Bad and the Ugly in Cybersecurity – Week 26 June 30, 2023 BLOG CATEGORIES * Cloud * Company * Cyber Response * Data Platform * Feature Spotlight * For CISO/CIO * From the Front Lines * Identity * Integrations & Partners * macOS * The Good, the Bad and the Ugly Company * Our Customers * Why SentinelOne * Platform * About * Partners * Support * Careers * Legal & Compliance * Security & Compliance * Contact Us * Investor Relations Resources * Blog * Labs * Hack Chat * Press * News * FAQ * Resources * Ransomware Anthology Global Headquarters 444 Castro Street Suite 400 Mountain View, CA 94041 +1-855-868-3733 sales@sentinelone.com Sign Up For Our Newsletter * Subscribe By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent your personal data to third parties. Thank you! You will now receive our weekly newsletter with all recent blog posts. See you soon! English * English * 日本語 * Deutsch * Español * Français * Italiano * Dutch * 한국어 ©2023 SentinelOne, All Rights Reserved. Privacy Policy Master Subscription Agreement PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All MANAGE CONSENT PREFERENCES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Back Button Back Vendor Search Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choices By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Cookies Settings Accept All Cookies word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 We'd like to show you notifications for the latest news and updates. AllowCancel