Scroll Top

Japanese cryptocurrency exchange targeted in JokerSpy macOS backdoor attack

8dc8b30c9cdf771e32cff0fb2bf0b449

Japanese cryptocurrency exchange targeted in JokerSpy macOS backdoor attack

An unknown cryptocurrency exchange in Japan fell victim to a targeted attack earlier this month, involving the deployment of an Apple macOS backdoor known as JokerSpy. Elastic Security Labs, monitoring the intrusion known as REF9134, revealed that the attack resulted in the installation of Swiftbelt, a Swift-based enumeration tool inspired by an open-source utility called SeatBelt. The JokerSky toolkit, described by Bitdefender as a sophisticated tool designed to breach macOS machines, was identified as the primary weapon used in the attack.

Little is currently known about the threat actor responsible for this operation, except that the attacks utilize a combination of programs written in Python and Swift, providing capabilities to gather data and execute arbitrary commands on compromised hosts. A key component of the toolkit is a self-signed multi-architecture binary known as xcc, which is designed to check for FullDiskAccess and ScreenRecording permissions. The file disguises itself as XProtectCheck, mimicking XProtect, an in-built macOS antivirus technology that uses signature-based detection rules to remove malware from infected hosts.

In the incident analyzed by Elastic, the creation of xcc was followed by the threat actor’s attempt to bypass TCC permissions by creating their own TCC database and trying to replace the existing one. Security researchers Colson Wilhoit, Salim Bitam, Seth Goodwin, Andrew Pease, and Ricardo Ungureanu discovered that on June 1, a new Python-based tool was executed from the same directory as xcc, enabling the execution of Swiftbelt, an open-source macOS post-exploitation enumeration tool.

The targeted attack focused on a major cryptocurrency service provider based in Japan that specializes in asset exchange for trading popular cryptocurrencies like Bitcoin and Ethereum. The company’s name has not been disclosed. The xcc binary, on the other hand, is launched through Bash using three different applications named IntelliJ IDEA, iTerm (a terminal emulator for macOS), and Visual Studio Code. This suggests that backdoored versions of software development applications were likely utilized to gain initial access.

Another notable module installed as part of the attack is sh.py, a Python implant used as a conduit to deliver additional post-exploitation tools like Swiftbelt. Swiftbelt is unique in that it invokes Swift code to avoid creating command line artifacts, and the researchers noted that xcc variants are also written using Swift.

This targeted attack on a Japanese cryptocurrency exchange underscores the growing sophistication of cyber threats facing the cryptocurrency industry. It highlights the need for robust security measures and continuous monitoring to detect and prevent such attacks. As the investigation into this incident continues, organizations must remain vigilant and proactive in their efforts to protect sensitive digital assets and infrastructure.

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.