New macOS backdoor JokerSpy impacts Japanese crypto exchange

Attackers, tracked under the REF9134 intrusion set, were able to compromise an unspecified major Japan-based cryptocurrency service provider specializing in Ethereum and Bitcoin trading with the novel JokerSpy macOS backdoor earlier this month, reports The Hacker News. Included in the JokerSpy toolkit is the multi-architecture binary dubbed 'xcc' signed as XProtectCheck that monitors permissions for FullDiskAccess and ScreenRecording while evading Apple's security protections, according to a report from Elastic Security Labs. Attackers used Bash to execute the xcc binary through the IntelliJ IDEA and iTerm apps, as well as the Visual Studio Code before proceeding to establish their dedicated TCC database to evade TCC permissions, use the 'sh.py' Python implant, and facilitate the execution of the open-source macOS post-exploitation enumeration tool Swiftbelt. "Unlike other enumeration methods, Swiftbelt invokes Swift code to avoid creating command line artifacts. Notably, xcc variants are also written using Swift," said researchers.