www.sentinelone.com Open in urlscan Pro
104.26.3.18  Public Scan

URL: https://www.sentinelone.com/blog/jokerspy-unknown-adversary-targeting-organizations-with-multi-stage-macos-malware/
Submission: On July 05 via api from DE — Scanned from DE

Form analysis 6 forms found in the DOM

GET https://www.sentinelone.com

<form autocomplete="off" method="get" action="https://www.sentinelone.com">
  <fieldset>
    <input type="search" name="s" placeholder="Search ..." value="">
    <button class="search" type="submit">
      <span class="light">
        <img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg">
        <img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg">
      </span>
      <span class="dark">
        <img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg">
        <img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg">
      </span>
    </button>
  </fieldset>
</form>

GET https://www.sentinelone.com/

<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
  <label>
    <span class="screen-reader-text">Search ...</span>
    <input type="search" class="search-field" placeholder="Search ..." value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

<form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1618981948">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
    third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1619010562">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
    third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

Text Content

Don’t miss OneCon23! SentinelOne’s annual user conference. Presale available
now. Register Now
Don’t miss OneCon23! SentinelOne’s annual user conference. Presale available
now.
Experiencing a Breach?
 * 1-855-868-3733
 * Contact
 * Cybersecurity Blog


en
 * English
 * 日本語
 * Deutsch
 * Español
 * Français
 * Italiano
 * Dutch
 * 한국어

blog
   
   
 * Platform
    * Platform Overview
       * Singularity XDR Platform Welcome to Native
         and Open XDR
         
       * XDR Ingestion One Home for All
         Security Data
         
       * How It Works The Singularity XDR Difference
         
       * Singularity Marketplace One-Click Integrations to Unlock the Power of
         XDR
         
   
    * Surfaces
       * Endpoint Autonomous Prevention, Detection, and Response
         
       * Cloud Autonomous Runtime Protection for Workloads
         
       * Identity Autonomous Identity & Credential Protection
         
   
    * Platform Packages
       * Singularity Complete The Standard for Enterprise Cybersecurity
         
       * Singularity Control Organization-Wide
         Protection and Control
         
       * Singularity Core Cloud-Native NGAV
         
       * Package Comparison Our Platform at a Glance
         
   
    * Platform Products
       * Singularity Cloud Container, VM, and Server Workload Security
         
       * Singularity RemoteOps Orchestrate Forensics at Scale
         
       * Singularity Identity Identity Threat Detection
         and Response
         
       * Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
         
       * Singularity Ranger AD Active Directory Attack Surface Reduction
         
       * Singularity BinaryVault Automatic File Sample Collection
         
       * Singularity Ranger Rogue Asset Discovery
         
       * Singularity Hologram Deception Protection
         
       * Singularity Mobile Mobile Threat Defense
         
   
   
 * Why SentinelOne?
    * Why SentinelOne?
       * Why SentinelOne? Cybersecurity Built
         for What’s Next
         
       * Our Customers Trusted by the World’s Leading Enterprises
         
       * Industry Recognition Tested and Proven
         by the Experts
         
       * About Us The Industry Leader in Autonomous Cybersecurity
         
   
    * Compare SentinelOne
       * CrowdStrike Cyber Dependent
         on a Crowd
         
       * McAfee Pale Performance,
         More Maintenance
         
       * Microsoft Platform Coverage
         That Compromises
         
       * Trend Micro The Risk of DevOps Disruption
         
       * Palo Alto Networks Hard to Deploy,
         Harder to Manage
         
       * Carbon Black Adapt Only as Quickly
         as Your Block Lists
         
       * Symantec Security Limited
         to Signatures
         
   
    * Verticals
       * Energy
         
       * Federal Government
         
       * Finance
         
       * Healthcare
         
       * Higher Education
         
       * K-12 Education
         
       * Manufacturing
         
       * Retail
         
   
   
 * Services
    * Threat Services
       * Vigilance Respond Pro
         MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
         
       * WatchTower Pro
         Threat Hunting Dedicated Hunting & Compromise Assessment
         
       * Vigilance Respond
         MDR Dedicated SOC
         Expertise & Analysis
         
       * WatchTower
         Threat Hunting Hunting for Emerging Threat Campaigns
         
      
      Services Overview
    * Support, Deployment, & Health
       * Technical Account Management Customer Success with Personalized Service
         
       * SentinelOne GO Guided Onboarding & Deployment Advisory
         
       * SentinelOne University Live and On-Demand Training
         
       * Support Services Tiered Support Options for Every Organization
         
       * SentinelOne Community Community Login
         
   
   
 * Partners
    * Our Network
       * Singularity Marketplace Extend the Power
         of S1 Technology
         
       * Cyber Risk
         Partners Enlist Pro Response
         and Advisory Teams
         
       * Technology Alliances Integrated, Enterprise-Scale Solutions
         
       * SentinelOne for AWS Hosted in AWS Regions Around the World
         
       * Channel Partners Deliver the Right
         Solutions, Together
         
      
      Program Overview
   
   
 * Resources
    * Resource Center
       * Case Studies
         
       * Data Sheets
         
       * eBooks
         
       * Reports
         
       * Videos
         
       * Webinars
         
       * White Papers
         
      
      View All Resources
    * Blog
       * Cyber Response
         
       * Feature Spotlight
         
       * For CISO/CIO
         
       * From the Front Lines
         
       * Identity
         
       * Cloud
         
       * macOS
         
       * SentinelOne Blog
         
      
      Blog
    * Tech Resources
       * SentinelLABS
         
       * Ransomware Anthology
         
       * Cybersecurity 101
         
   
   
 * About
    * About SentinelOne
       * About SentinelOne The Industry Leader in Cybersecurity
         
       * Investor Relations Financial Information & Events
         
       * SentinelLABS Threat Research for
         the Modern Threat Hunter
         
       * Careers The Latest Job Opportunities
         
       * Press & News Company Announcements
         
       * Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
         
       * F1 Racing SentinelOne &
         Aston Martin F1 Team
         
       * FAQ Get Answers to Our Most Frequently Asked Questions
         
       * DataSet The Live Data Platform
         
       * S Foundation Securing a Safer Future for All
         
       * S Ventures Investing in the Next Generation
         of Security and Data
         
       * Brand SentinelOne Brand Guidelines
         
   
   

en
 * English
 * 日本語
 * Deutsch
 * Español
 * Français
 * Italiano
 * Dutch
 * 한국어


Get a Demo

blog
Back
   
   
 * Platform
    * Platform Overview
       * Singularity XDR Platform Welcome to Native
         and Open XDR
         
       * XDR Ingestion One Home for All
         Security Data
         
       * How It Works The Singularity XDR Difference
         
       * Singularity Marketplace One-Click Integrations to Unlock the Power of
         XDR
         
   
    * Surfaces
       * Endpoint Autonomous Prevention, Detection, and Response
         
       * Cloud Autonomous Runtime Protection for Workloads
         
       * Identity Autonomous Identity & Credential Protection
         
   
    * Platform Packages
       * Singularity Complete The Standard for Enterprise Cybersecurity
         
       * Singularity Control Organization-Wide
         Protection and Control
         
       * Singularity Core Cloud-Native NGAV
         
       * Package Comparison Our Platform at a Glance
         
   
    * Platform Products
       * Singularity Cloud Container, VM, and Server Workload Security
         
       * Singularity RemoteOps Orchestrate Forensics at Scale
         
       * Singularity Identity Identity Threat Detection
         and Response
         
       * Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
         
       * Singularity Ranger AD Active Directory Attack Surface Reduction
         
       * Singularity BinaryVault Automatic File Sample Collection
         
       * Singularity Ranger Rogue Asset Discovery
         
       * Singularity Hologram Deception Protection
         
       * Singularity Mobile Mobile Threat Defense
         
   
   
 * Why SentinelOne?
    * Why SentinelOne?
       * Why SentinelOne? Cybersecurity Built
         for What’s Next
         
       * Our Customers Trusted by the World’s Leading Enterprises
         
       * Industry Recognition Tested and Proven
         by the Experts
         
       * About Us The Industry Leader in Autonomous Cybersecurity
         
   
    * Compare SentinelOne
       * CrowdStrike Cyber Dependent
         on a Crowd
         
       * McAfee Pale Performance,
         More Maintenance
         
       * Microsoft Platform Coverage
         That Compromises
         
       * Trend Micro The Risk of DevOps Disruption
         
       * Palo Alto Networks Hard to Deploy,
         Harder to Manage
         
       * Carbon Black Adapt Only as Quickly
         as Your Block Lists
         
       * Symantec Security Limited
         to Signatures
         
   
    * Verticals
       * Energy
         
       * Federal Government
         
       * Finance
         
       * Healthcare
         
       * Higher Education
         
       * K-12 Education
         
       * Manufacturing
         
       * Retail
         
   
   
 * Services
    * Threat Services
       * Vigilance Respond Pro
         MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
         
       * WatchTower Pro
         Threat Hunting Dedicated Hunting & Compromise Assessment
         
       * Vigilance Respond
         MDR Dedicated SOC
         Expertise & Analysis
         
       * WatchTower
         Threat Hunting Hunting for Emerging Threat Campaigns
         
      
      Services Overview
    * Support, Deployment, & Health
       * Technical Account Management Customer Success with Personalized Service
         
       * SentinelOne GO Guided Onboarding & Deployment Advisory
         
       * SentinelOne University Live and On-Demand Training
         
       * Support Services Tiered Support Options for Every Organization
         
       * SentinelOne Community Community Login
         
   
   
 * Partners
    * Our Network
       * Singularity Marketplace Extend the Power
         of S1 Technology
         
       * Cyber Risk
         Partners Enlist Pro Response
         and Advisory Teams
         
       * Technology Alliances Integrated, Enterprise-Scale Solutions
         
       * SentinelOne for AWS Hosted in AWS Regions Around the World
         
       * Channel Partners Deliver the Right
         Solutions, Together
         
      
      Program Overview
   
   
 * Resources
    * Resource Center
       * Case Studies
         
       * Data Sheets
         
       * eBooks
         
       * Reports
         
       * Videos
         
       * Webinars
         
       * White Papers
         
      
      View All Resources
    * Blog
       * Cyber Response
         
       * Feature Spotlight
         
       * For CISO/CIO
         
       * From the Front Lines
         
       * Identity
         
       * Cloud
         
       * macOS
         
       * SentinelOne Blog
         
      
      Blog
    * Tech Resources
       * SentinelLABS
         
       * Ransomware Anthology
         
       * Cybersecurity 101
         
   
   
 * About
    * About SentinelOne
       * About SentinelOne The Industry Leader in Cybersecurity
         
       * Investor Relations Financial Information & Events
         
       * SentinelLABS Threat Research for
         the Modern Threat Hunter
         
       * Careers The Latest Job Opportunities
         
       * Press & News Company Announcements
         
       * Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
         
       * F1 Racing SentinelOne &
         Aston Martin F1 Team
         
       * FAQ Get Answers to Our Most Frequently Asked Questions
         
       * DataSet The Live Data Platform
         
       * S Foundation Securing a Safer Future for All
         
       * S Ventures Investing in the Next Generation
         of Security and Data
         
       * Brand SentinelOne Brand Guidelines
         
   
   

Get a Demo
 * 1-855-868-3733
 * Contact
 * Cybersecurity Blog

Experiencing a Breach?
 * 1-855-868-3733
 * Contact
 * Cybersecurity Blog


JOKERSPY | UNKNOWN ADVERSARY TARGETING ORGANIZATIONS WITH MULTI-STAGE MACOS
MALWARE

June 28, 2023
by Phil Stokes
PDF

Recent reports from researchers at BitDefender and Elastic have exposed an
active adversary deploying novel spyware, cross-platform backdoors and an
open-source reconnaissance tool to compromise organizations with macOS devices
in their fleets. Although the number of known victims at this time is small, the
nature of the tooling suggests that the threat actors have likely targeted other
organizations.

In this post, we review the key components and indicators used in the campaign
to help raise awareness and aid security teams and threat hunters.




QRLOG | SUSPECTED INFECTION VECTOR

There is little information about how initial compromise was achieved in the
known compromises, but analysis of the known components provide a strong link to
a trojanized QR code generator discovered in the wild in February 2023.

According to researcher Mauro Eldritch, QRLog is a trojanized QR code generator
written in Java that opens a reverse shell on the host device, allowing the
attacker privileged access. The malicious code is hidden inside a file
QRCodeWriter.java, buried in an otherwise legitimate open source QR code
project.

Base64 blob is an encoded Java file

After determining the host device’s operating system, QRLog decodes an embedded
base64 blob and writes it out to a temporary directory and executes it.

QRLog changes the path separator to suit Windows or Posix-compatible systems
like Linux and macOS

The decoded blob is a .java file that reaches out to a C2 at
hxxps[:]//www[.]git-hub.me/view.php. This is the same C2 as used in the
compromise reported by BitDefender (see below).

QRLog uses the same C2 later seen in an ITW JokerSpy intrusion

If the QRLog malware receives the right response from the C2, it then writes two
further files – p.dat and a Java executable prefTmp.java – to the temp directory
and executes the latter, which now opens the reverse shell from the victim to
the attacker.

The prefTmp.java files opens a reverse shell to the attacker


SHARED.DAT & SH.PY | CROSS-PLATFORM PYTHON BACKDOORS

In the intrusions seen to date, researchers identified two Python backdoors,
shared.dat and sh.py. The former uses a simple rot13 string obfuscation
technique.




Deobfuscated strings found in shared.dat backdoor



The script’s behavior depends on the response from the server, whose address is
hardcoded in plain text. In the intrusion seen by BitDefender, the C2 matched
that seen in the QRLog malware. shared.dat also uses the same strings found in
QRLog to identify packets sent and received from the C2, namely “GITHUB_RES” and
“GITHUB_REQ”.

C2 in shared.dat is the same as noted in QRLog malware

A simple conditional parses the responses.

Parsing commands from the C2 in the shared.dat backdoor

If the device is identified as a macOS device, the malware downloads and
executes the next stage to /Users/Shared/AppleAccount.tgz, which in turn decodes
a further stage to /Users/Shared/TempUser/AppleAccountAssistant.app.

The sh.py backdoor is also multi-platform and requires a separate configuration
file stored at ~/Public/Safari/sar.dat, likely containing the C2 as well as
other parameters. The C2 observed by Elastic in an attack on an unnamed Japanese
cryptocurrency exchange was app.influmarket[.]org.

The backdoor is capable of surveilling the host device and executing commands,
exfiltrating data and deleting files.

The sh.py script is a cross-platform backdoor

Depending on the value received from the configuration file, the backdoor will
beacon out to the C2 at regular intervals, the default being 5 seconds.
Information sent to the attacker includes:

 * Current working directory
 * Username
 * Hostname
 * Domain name
 * OS version
 * Python version
 * Path to sh.py

According to researchers at Elastic, the sh.py script was seen dropping the
open-source macOS red-teaming tool SwiftBelt to the file path /Users/shared/sb
and writing out to a file sb.log in the same directory.

/bin/sh -c /users/shared/sb > /users/shared/sb.log 2>&1



JOKERSPY | MACOS SPYWARE STAGER

In both intrusions seen to date, a further macOS only component was observed.
The file, named “xcc”, attempts to hide as an XProtect component, and uses the
Launch Services identifier com.apple.xprotectcheck.

Identifier=XProtectCheck-55554944f74096a836b73310bd55d97d1dff5cd4
Format=Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=911 flags=0x2(adhoc) hashes=17+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=89706d1258b6f1c165ff8d1d6d13346e02b48e22
CandidateCDHashFull sha256=89706d1258b6f1c165ff8d1d6d13346e02b48e22d1a741ff451d1cb6ba81bab2
Hash choices=sha256
CMSDigest=89706d1258b6f1c165ff8d1d6d13346e02b48e22d1a741ff451d1cb6ba81bab2
CMSDigestType=2
Launch Constraints:
    None
CDHash=89706d1258b6f1c165ff8d1d6d13346e02b48e22
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
# designated => cdhash H"89706d1258b6f1c165ff8d1d6d13346e02b48e22" or cdhash H"9860c28299d58e71540c64e56c709aa619cfac27"


The binary is ad hoc signed and is built for both Apple silicon and Intel
architectures. On execution, it runs through several functions with the purpose
of determining:

 * Device Idle Time
 * Active (Frontmost) App
 * Screen status (locked or unlocked)
 * Full Disk Access of the active app
 * Screen Recording permissions of the active app
 * Accessibility (e.g., control other apps) permission of the active app

Output to stdout from executing xcc binary

Threat hunters should note that these are somewhat noisily printed out to
stdout, so will appear in system logs.

The inclusion of the SystemIdleTime() function is interesting and not something
commonly seen in macOS malware. This may indicate the threat actor intends to
establish a pattern of behavior as to when the user is inactive in order to time
attacks. The function itself uses Apple’s IOServiceMatching() api and the now
deprecated IOHIDSystem class to query for the HIDIdleTime value, a timer which
tracks the last time the user interacted with the mouse, trackpad or keyboard,
among other things.

Calls made by the SystemIdleTime() function

At the time of writing, it’s not clear how the xcc binary relates to the other
components, other than that they have been observed together in both instances.
xcc itself provides functionality for system discovery and it is likely there
are further associated spyware and backdoor components that remain to be
discovered.

Elastic observed xcc being executed by three different processes:

 * /Applications/IntelliJ IDEA.app/Contents/MacOS/idea
 * /Applications/iTerm.app/Contents/MacOS/iTerm2
 * /Applications/Visual Studio Code.app/Contents/MacOS/Electron

The researchers suggest that initial access may have been provided via a
malicious plugin or dependency that may have been trojanized in a similar way to
QRLog mentioned above.


SENTINELONE DETECTS JOKERSPY

The SentinelOne agent protects customers from JokerSpy, QRLog and other
malicious components identified in these attacks.



Security teams not protected by SentinelOne are advised to refer to the list of
indicators below for threat hunting and detection.


CONCLUSION

The JokerSpy intrusions reveal a threat actor with the ability to write
functional malware across several different languages – Python, Java, and Swift
– and target multiple operating systems platforms. The relative sophistication
of the multiple components suggests one or more developers devoting considerable
effort to the project, and we can only surmise that further victims are out
there.

There are still several pieces of the puzzle missing, but the intrusion into a
large cryptocurrency exchange indicates a financially-motivated threat actor.
SentinelOne continues to track this threat actor and will provide updates to
this post as they become available.


INDICATORS OF COMPROMISE

Identifiers
com.apple.xprotectcheck

Communications
45[.]76[.]238[.]53
45[.]77].]123].]18
www[.]git-hub.me
app.influmarket[.]org

Files (SHA1)
1ed2c5ee95ab77f8e1c1f5e2bd246589526c6362 – xcc
1f99081affd7bef83d44e0072eb860d515893698 – SwiftBelt
21ffda8a6a05a007ef92088f99ab54485cfe473d – xcc
2234c9fc3c3d340f0367c49c6599379b96544b5a – QRCodeWriter.java
370a0bb4177eeebb2a75651a8addb0477b7d610b – xcc
76b790eb3bed4a625250b961a5dda86ca5cd3a11 – xcc
937a9811b3e5482eb8f96832454723d59229f945 – shared.dat
bd8626420ecfd1ab5f4576d83be35edecd8fa70e – sh.py
c304aef96a783a39aedf1af30de5d5f1c33c68ca – QRLog sample.zip
c7d6ede0f6ac9f060ae53bb1db40a4fbe96f9ceb – shared.dat

Paths

$TEMP/p.dat
$TEMP/prefTmp.java
~/Public/Safari/sar.dat
/Users/shared/sb
/Users/shared/sb.log
/Users/Shared/AppleAccount.tgz
/Users/Shared/TempUser/AppleAccountAssistant.app


--------------------------------------------------------------------------------

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see
the content we post.


READ MORE ABOUT CYBER SECURITY

 * Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack
   Chilean Army 
 * Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search
   Results
 * Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on
   Telegram
 * Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike
   Through Microsoft Security Tool
 * Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in
   Crypto
 * From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000
   Infected Hosts


READ MORE

Get a demo

Defeat every attack, at every stage of the threat lifecycle with SentinelOne

Book a demo and see the world’s most advanced cybersecurity platform in action.

Get Demo

SentinelLabs

SentinelLabs: Threat Intel & Malware Analysis

We are hunters, reversers, exploit developers, & tinkerers shedding light on the
vast world of malware, exploits, APTs, & cybercrime across all platforms.

VISIT SITE

Wizard Spider and Sandworm

MITRE Engenuity ATT&CK Evaluation Results

SentinelOne leads in the latest Evaluation with 100% prevention. Leading
analytic coverage. Leading visibility. Zero detection delays.

SEE RESULTS


LISTEN TO THIS POST



Table of Contents
QRLog | Suspected Infection Vector
 * QRLog | Suspected Infection Vector
 * Shared.dat & sh.py | Cross-Platform Python Backdoors
 * JokerSpy | macOS Spyware Stager
 * SentinelOne Detects JokerSpy
 * Conclusion
 * Indicators of Compromise


SEARCH

Search ...


SIGN UP

Keep up to date with our weekly digest of articles.

*
























Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.

Thanks! Keep an eye out for new content!


RECENT POSTS

 * BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and
   Detection
   July 5, 2023
 * Neo_Net | The Kingpin of Spanish eCrime
   July 3, 2023
 * The Good, the Bad and the Ugly in Cybersecurity – Week 26
   June 30, 2023


BLOG CATEGORIES

 * Cloud
 * Company
 * Cyber Response
 * Data Platform
 * Feature Spotlight
 * For CISO/CIO
 * From the Front Lines
 * Identity
 * Integrations & Partners
 * macOS
 * The Good, the Bad and the Ugly

Company
 * Our Customers
 * Why SentinelOne
 * Platform
 * About
 * Partners
 * Support
 * Careers
 * Legal & Compliance
 * Security & Compliance
 * Contact Us
 * Investor Relations

Resources
 * Blog
 * Labs
 * Hack Chat
 * Press
 * News
 * FAQ
 * Resources
 * Ransomware Anthology

Global Headquarters

444 Castro Street
Suite 400
Mountain View, CA 94041

+1-855-868-3733

sales@sentinelone.com

Sign Up For Our Newsletter
*




Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thank you! You will now receive our weekly newsletter with all recent blog
posts. See you soon!
English
 * English
 * 日本語
 * Deutsch
 * Español
 * Français
 * Italiano
 * Dutch
 * 한국어

©2023 SentinelOne, All Rights Reserved.
Privacy Policy Master Subscription Agreement










PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button Back



Vendor Search Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices


By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.

Cookies Settings Accept All Cookies

word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word

mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
We'd like to show you notifications for the latest news and updates.


AllowCancel