Emerging Threat! Exposing JOKERSPY
Contents
An overview of JOKERSPY, discovered in June 2023, which deployed custom and open source macOS tools to exploit a cryptocurrency exchange located in Japan.
This research article explores a recently discovered intrusion we’re calling REF9134, which involves using the sh.py backdoor to deploy the macOS Swiftbelt enumeration tool. sh.py and xcc have recently been dubbed JOKERSPY by Bitdefender.
Specifically, this research covers:
- How Elastic Security Labs identified reconnaissance from the adversary group
- The adversary’s steps to evade detection using xcc, installing the sh.py backdoor, and deploying enumeration tools
A deeper look at this attack may be published at a later date.
In late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our diagnostic endpoint alerts that detected the execution of a binary (xcc). xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign. While this detection in itself was …
This research article explores a recently discovered intrusion we’re calling REF9134, which involves using the sh.py backdoor to deploy the macOS Swiftbelt enumeration tool. sh.py and xcc have recently been dubbed JOKERSPY by Bitdefender.
Specifically, this research covers:
- How Elastic Security Labs identified reconnaissance from the adversary group
- The adversary’s steps to evade detection using xcc, installing the sh.py backdoor, and deploying enumeration tools
A deeper look at this attack may be published at a later date.
In late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our diagnostic endpoint alerts that detected the execution of a binary (xcc). xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign. While this detection in itself was …
IoC
452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1
55554944f74096a836b73310bd55d97d1dff5cd4
8ca86f78f0c73a46f31be366538423ea0ec58089f3880e041543d08ce11fa626
aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1
d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8
http://app.influmarket.org
55554944f74096a836b73310bd55d97d1dff5cd4
8ca86f78f0c73a46f31be366538423ea0ec58089f3880e041543d08ce11fa626
aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1
d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8
http://app.influmarket.org