JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS Malware
Contents
|
|
Recent reports from researchers at BitDefender and Elastic have exposed an active adversary deploying novel spyware, cross-platform backdoors and an open-source reconnaissance tool to compromise organizations with macOS devices in their fleets. Although the number of known victims at this time is small, the nature of the tooling suggests that the threat actors have likely targeted other organizations.
In this post, we review the key components and indicators used in the campaign to help raise awareness and aid security teams and threat hunters.
QRLog | Suspected Infection Vector
There is little information about how initial compromise was achieved in the known compromises, but analysis of the known components provide a strong link to a trojanized QR code generator discovered in the wild in February 2023.
According to researcher Mauro Eldritch, QRLog is a trojanized QR code generator written in Java that opens a reverse shell on the host device, allowing the attacker privileged access. …
|
Recent reports from researchers at BitDefender and Elastic have exposed an active adversary deploying novel spyware, cross-platform backdoors and an open-source reconnaissance tool to compromise organizations with macOS devices in their fleets. Although the number of known victims at this time is small, the nature of the tooling suggests that the threat actors have likely targeted other organizations.
In this post, we review the key components and indicators used in the campaign to help raise awareness and aid security teams and threat hunters.
QRLog | Suspected Infection Vector
There is little information about how initial compromise was achieved in the known compromises, but analysis of the known components provide a strong link to a trojanized QR code generator discovered in the wild in February 2023.
According to researcher Mauro Eldritch, QRLog is a trojanized QR code generator written in Java that opens a reverse shell on the host device, allowing the attacker privileged access. …
IoC
1ed2c5ee95ab77f8e1c1f5e2bd246589526c6362
1f99081affd7bef83d44e0072eb860d515893698
21ffda8a6a05a007ef92088f99ab54485cfe473d
2234c9fc3c3d340f0367c49c6599379b96544b5a
370a0bb4177eeebb2a75651a8addb0477b7d610b
45.76.238.53
55554944f74096a836b73310bd55d97d1dff5cd4
76b790eb3bed4a625250b961a5dda86ca5cd3a11
89706d1258b6f1c165ff8d1d6d13346e02b48e22
89706d1258b6f1c165ff8d1d6d13346e02b48e22d1a741ff451d1cb6ba81bab2
937a9811b3e5482eb8f96832454723d59229f945
9860c28299d58e71540c64e56c709aa619cfac27
bd8626420ecfd1ab5f4576d83be35edecd8fa70e
c304aef96a783a39aedf1af30de5d5f1c33c68ca
c7d6ede0f6ac9f060ae53bb1db40a4fbe96f9ceb
http://45.76.238.53
http://45.77.123.18
http://app.influmarket.org
http://www.git-hub.me
https://www.git-hub.me/view.php
1f99081affd7bef83d44e0072eb860d515893698
21ffda8a6a05a007ef92088f99ab54485cfe473d
2234c9fc3c3d340f0367c49c6599379b96544b5a
370a0bb4177eeebb2a75651a8addb0477b7d610b
45.76.238.53
55554944f74096a836b73310bd55d97d1dff5cd4
76b790eb3bed4a625250b961a5dda86ca5cd3a11
89706d1258b6f1c165ff8d1d6d13346e02b48e22
89706d1258b6f1c165ff8d1d6d13346e02b48e22d1a741ff451d1cb6ba81bab2
937a9811b3e5482eb8f96832454723d59229f945
9860c28299d58e71540c64e56c709aa619cfac27
bd8626420ecfd1ab5f4576d83be35edecd8fa70e
c304aef96a783a39aedf1af30de5d5f1c33c68ca
c7d6ede0f6ac9f060ae53bb1db40a4fbe96f9ceb
http://45.76.238.53
http://45.77.123.18
http://app.influmarket.org
http://www.git-hub.me
https://www.git-hub.me/view.php