[ad_1]
Posted on
by
Joshua Lengthy
In June, two analysis groups independently found a brand new Mac malware household, dubbed JokerSpy. One of many malware’s early phases features a cross-platform element, hinting that variants of JokerSpy might also exist for Home windows and Linux as properly.
Let’s discover what it is advisable learn about this new Mac risk and how one can keep protected.
On this article:
What does JokerSpy Mac malware do?
At present the preliminary an infection vector (i.e. how the malware will get onto a Mac) is unknown.
As soon as deployed, the earliest identified stage of the malware is a Python backdoor (filename sh.py) that can be utilized to obtain further parts. On one contaminated system at a “outstanding Japanese cryptocurrency trade,” the malware was seen downloading SwiftBelt to achieve further capabilities. SwiftBelt is a official red-teaming instrument developed by Cedric Owens, a Mac-focused offensive safety engineer. Sadly, unhealthy guys like JokerSpy’s distributors can use good guys’ instruments for malicious functions.
As soon as a system is compromised and contaminated with malware like JokerSpy, the attacker successfully has an awesome diploma of management over the system. With a backdoor, attackers can set up further parts within the background, and will probably run additional exploits, monitor customers’ habits, steal login credentials or cryptocurrency wallets, and extra.
How can one take away or stop JokerSpy and different Mac malware?
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can shield towards, detect, and remove this Mac malware. Intego merchandise detect parts of this risk as OSX/JokerSpy, Python/JokerSpy, or names much like adware/OSX/Agent.jlejb.
When you consider your Mac could also be contaminated—or to forestall future infections—use trusted antivirus software program. VirusBarrier is award-winning antivirus software program, designed by Mac safety specialists, that features real-time safety. It’s appropriate with quite a lot of Mac {hardware} and OS variations, together with the newest Apple silicon Macs operating macOS Ventura.
Moreover, if you happen to use a Home windows PC, Intego Antivirus for Home windows can preserve your laptop shielded from this and different PC malware.
VirusBarrier X6, X7, and X8 on older Mac OS X variations additionally present safety. Be aware, nonetheless, that it’s best to improve to the newest variations of macOS and VirusBarrier; it will assist guarantee your Mac will get all the newest safety updates from Apple.
Is JokerSpy associated to SysJoker?
JokerSpy will not be identified to be associated to SysJoker, which we wrote about in January 2022, however there are some coincidental similarities. Each are multi-platform backdoor malware households with parts that may infect macOS, Home windows, and Linux PCs. And apparently, each are identified to have used GitHub lookalike domains.
Within the case of JokerSpy, the “joker” a part of the identify comes from the obvious username of its developer’s macOS login; “Spy” can also be present in the identical path string in one in all JokerSpy’s macOS executable information: /Customers/joker/Downloads/Spy/XProtectCheck/
One analysis group famous {that a} explicit pattern of JokerSpy malware “has a code signature resembling” a payload from the SmoothOperator Trojanized 3CX software program that Intego wrote about in April 2023.
JokerSpy indicators of compromise (IoCs)
The next SHA-256 hashes might relate to JokerSpy malware campaigns:
39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4 5fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e9642272 6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c 8ca86f78f0c73a46f31be366538423ea0ec58089f3880e041543d08ce11fa626 951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1 d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8
The next command-and-control (C&C) domains have reportedly been used along with this malware:
git-hub[.]me app.influmarket[.]org
Community directors can test current community site visitors logs to attempt to determine whether or not any computer systems on their community might have tried to contact one in all these domains, which may point out a attainable an infection.
The primary area above was beforehand noticed in reference to “QRLog” Java RAT malware, in line with researcher Mauro Eldritch in a February 2023 write-up. (The unique evaluation is now not on-line; see the Bing cached model and an Web Archive backup thereof.)
Is JokerSpy identified by every other names?
Different distributors’ names for risk parts associated to this malware marketing campaign might embrace variations of the next, amongst others:
Adware.ADWARE/OSX.Agent.gedwx, Adware.ADWARE/OSX.Agent.jlejb, Adware/Joker!OSX, Backdoor.Python.JokerSpy.a, Backdoor.Python.JokerSpy.b, HEUR:Trojan.OSX.JokerSpy.a, Joke:MacOS/Multiverze, MacOS:Joker-B [Trj], OSX.Trojan.Gen, OSX/JokerSpy-A, OSX/Spy.Joker.A, Python:Joker-A [Trj], Python:Joker-B [Trj], Python/Spy.Joker.A, Riskware.OSX.Agent.1!c, Trojan Horse, Trojan:Python/PyJoker.AC, Trojan.MAC.JokerSpy.A (B), Trojan.MAC.JokerSpy.A [many], Trojan.MAC.JokerSpy.C (B), Trojan.OSX.JokerSpy.4!c, Trojan.Python.JokerSpy.A (B), Trojan.Python.JokerSpy.B (B), Trojan.Python.JokerSpy.C (B), Trojan.Script.JokerSpy.4!c, Trojan.Win32.FRS.VSNW15F23
How can I be taught extra?
For extra technical particulars concerning the JokerSpy malware, you possibly can learn Lapusneanu and Botezatu’s write-up from June 16, and Wilhoit, Bitam, Goodwin, Pease, and Ungureanu’s write-up from June 21.
We briefly mentioned JokerSpy on episode 297 of the Intego Mac Podcast.
Every week on the Intego Mac Podcast, Intego’s Mac safety specialists talk about the newest Apple information, together with safety and privateness tales, and provide sensible recommendation on getting essentially the most out of your Apple units. You’ll want to comply with the podcast to be sure to don’t miss any episodes.
You may as well subscribe to our e-mail publication and preserve a watch right here on The Mac Safety Weblog for the newest Apple safety and privateness information. And don’t overlook to comply with Intego in your favourite social media channels: 
JokerSpy emblem photographs based mostly on: “Jester- Joker Card” by GoShows (CC BY 2.0) and “Matrix – iPhone Background” by Patrick Hoesly (CC BY 2.0); each photographs modified.
About Joshua Lengthy
Joshua Lengthy (@theJoshMeister), Intego’s Chief Safety Analyst, is a famend safety researcher, author, and public speaker. Josh has a grasp’s diploma in IT concentrating in Web Safety and has taken doctorate-level coursework in Data Safety. Apple has publicly acknowledged Josh for locating an Apple ID authentication vulnerability. Josh has performed cybersecurity analysis for greater than 25 years, which has usually been featured by main information shops worldwide. Search for extra of Josh’s articles at safety.thejoshmeister.com and comply with him on Twitter/X, LinkedIn, and Mastodon.
View all posts by Joshua Lengthy →
[ad_2]
