Japanese Cryptocurrency Exchange Hit by JokerSpy Attack

JokerSpy is a powerful toolkit designed to exploit macOS Macs. It was first described by Bitdefender last week. JokerSpy consists of numerous programs written in Python and Swift that allow the collection of data and execution of arbitrary commands on compromised hosts.

One of the fundamental components of JokerSpy is a self-signed program called "xcc" that checks for full disk access and screen recording rights. The file is signed as XProtectCheck, which implies an attempt to disguise itself as XProtect, the built-in antivirus technology in macOS.

“On June 1, a new Python tool was spotted that ran from the same directory as xcc and was used to run an open-source post-operational tool for macOS called Swiftbelt,” claimed Elastic security experts.

The hack targeted a prominent Japanese cryptocurrency service provider specializing in asset swaps to exchange Bitcoin, Ethereum, and other mainstream cryptocurrencies. The name of the company was not divulged.

The "xcc" binary is executed with Bash through three distinct applications: IntelliJ IDEA, iTerm (terminal emulator for macOS), and Visual Studio Code.

Another module loaded as part of the attack is sh.py, a Python implant that is used as a conduit for delivering other post-exploitation tools, such as Swiftbelt.

macOS users should be careful not to download malicious files or apps from untrusted sources. It is also essential to use effective antivirus software and to frequently update the system and applications to protect data and bitcoin from hackers.