Although not much is known about the new toolkit or the threat group behind it, there have been some new samples uploaded to VirusTotal which indicate the presence of the new toolkit. The first sample was uploaded by an unknown user on April 18th, 2023. Three more samples were uploaded by a yet to be disclosed victim working with researchers at Bitdefender. Bitdefender is not done with their investigation yet but are tracking the components as JokerSpy.

The four samples in total break down into three types of malicious payloads. There is a generic Python Backdoor (shared.dat). This backdoor creates a UID to identify the compromised device which is the name for an additional fie (.dat). The malware then starts a “while true” loop that is intended to start communication with the C2 (Command and Control) server using a custom packet. The backdoor can run four commands. One to extract basic information, one to run a specific command on the compromised system. The third command runs differently on Linux and macOS. On macOS it grabs the account lit from the device while on Linux it appears to identify the flavor of Linus in use (Debian, Fedora etc). The last command is an exit command used to end stop the backdoor while true loop.

The second sample seems to be a much more sophisticated backdoor (sh.py) which expands on the capabilities of the previous backdoor. Here the command list expands from four to roughly 11. It also includes the expected function to collect information about the compromised system.

The last sample is the most unusual although it seems to be primarily a system check and not a backdoor or other tool. The malware is a FAT binary with multi-architecture capabilities (x86 Intel and ARM M1). The binary is written in swift and seems to be intended to specifically target macOS 12 and later. The functions of the malware as identified in the sample all point to checking the integrity of macOS permissions and other security functions. The malware looks to access the macOS Accessibility API to gather information on applications that have the following permissions (Full Disk Access, Screen Recording and Accessibility). These functions are critical for follow on compromise as allow for significant control over the OS and device. The malware also checks to see what application is currently being used by the active user, possibly as a way to identify a method for further infection.

Bitdefender acknowledges that this investigation is not complete. They are still putting the pieces of the puzzle together, but the pieces they do have are enough to give them a possible picture. This picture indicates that there is likely to be a larger effort to target macOS systems in play by a threat actor. Who this threat actor is, is not yet known. It might take some time to properly identify who is behind this new toolkit. Right now, Bitdefender has listed the Hashes of the samples they have identified, and URLs used by the threat group. These can, and should be, leverage by organizations to identify and quarantine the malicious files in your environment.

This information should also serve as a heads-up for anyone that still thinks of any particular OS as more secure. Threat actors are well aware of this bias and will use it to target those systems which are left less protected.