Initial research exposing JOKERSPY

Key takeaways,

This is an initial notification of an active intrusion with additional details to follow
REF9134 leverages custom and open source tools for reconnaissance and command and control
Targets of this activity include a cryptocurrency exchange in Japan

To identify other binaries signed with the same identifier, we converted XProtectCheck-55554944f74096a836b73310bd55d97d1dff5cd4 to hexadecimal and searched VirusTotal to identify 3 additional samples (content:{5850726f74656374436865636b2d35353535343934346637343039366138333662373333313062643535643937643164666635636434}). 

Each contained the same core functionality with structural differences. These discrepancies may indicate that these variants of xcc were developed to bypass endpoint capabilities that interfered with execution.

Shortly after the creation of xcc, researchers observed the threat actor copying /Users/Shared/tcc.db over the existing TCC database, /Library/Application Support/ This may enable the threat to avoid TCC prompts visible to system users while simultaneously abusing a directory with broad file write permissions.


Upon successfully executing in our Detonate environment, the following results were displayed:


Once the custom TCC database was placed in the expected location, the threat actor executed the xcc binary.

Initial access,

The xcc binary was executed via bash by three separate processes

/Applications/Visual Studio 

While we are still investigating and continuing to gather information, we strongly believe that the initial access for this malware was a malicious or backdoored plugin or 3rd party dependency that provided the threat actor access. This aligns with the connection that was made by the researchers at Bitdefender who correlated the hardcoded domain found in a version of the backdoor to a Tweet about an infected macOS QR code reader which was found to have a malicious dependency.


As part of its periodic beaconing, the malware gathers and transmits various system information. The information sent includes:

Domain name
Current directory
The absolute path of the executable binary
OS version
Is 64-bit OS
Is 64-bit process
Python version

Below is a table outlining the various commands that can be handled by the backdoor:


Stop the backdoor’s execution

List the files of the path provided as parameter

Execute and return the output of a shell command

Change directory and return the new path

Execute a Python code given as a parameter in the current context

Decode a Base64-encoded Python code given as a parameter, compile it, then execute it

Remove a file or directory from the system

Execute a file from the system with or without parameter

Upload a file to the infected system

Download a file from the infected system

Get the current malware’s configuration stored in the configuration file

Override the malware’s configuration file with new values

Observed tactics and techniques,rule Macos_Hacktool_JokerSpy {
author = “Elastic Security”
creation_date = “2023-06-19”
last_modified = “2023-06-19”
os = “MacOS”
arch = “x86”
category_type = “Hacktool”
family = “JokerSpy”
threat_name = “Macos.Hacktool.JokerSpy”
reference_sample = “d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8”
license = “Elastic License v2”
$str1 = “ScreenRecording: NO” fullword
$str2 = “Accessibility: NO” fullword
$str3 = “Accessibility: YES” fullword
$str4 = “eck13XProtectCheck”
$str5 = “Accessibility: NO” fullword
$str6 = “kMDItemDisplayName = *TCC.db” fullword
5 of them

}rule MacOS_Hacktool_Swiftbelt {
author = “Elastic Security”
creation_date = “2021-10-12”
last_modified = “2021-10-25”
threat_name = “MacOS.Hacktool.Swiftbelt”
reference_sample = “452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1”
os = “macos”
arch_context = “x86”
license = “Elastic License v2”

$dbg1 = “SwiftBelt/Sources/SwiftBelt”
$dbg2 = “[-] Firefox places.sqlite database not found for user”
$dbg3 = “[-] No security products found”
$dbg4 = “SSH/AWS/gcloud Credentials Search:”
$dbg5 = “[-] Could not open the Slack Cookies database”
$sec1 = “[+] Malwarebytes A/V found on this host”
$sec2 = “[+] Cisco AMP for endpoints found”
$sec3 = “[+] SentinelOne agent running”
$sec4 = “[+] Crowdstrike Falcon agent found”
$sec5 = “[+] FireEye HX agent installed”
$sec6 = “[+] Little snitch firewall found”
$sec7 = “[+] ESET A/V installed”
$sec8 = “[+] Carbon Black OSX Sensor installed”
$sec9 = “/Library/Little Snitch”
$sec10 = “/Library/FireEye/xagt”
$sec11 = “/Library/CS/falcond”
$sec12 = “/Library/Logs/PaloAltoNetworks/GlobalProtect”
$sec13 = “/Library/Application Support/Malwarebytes”
$sec14 = “/usr/local/bin/osqueryi”
$sec15 = “/Library/Sophos Anti-Virus”
$sec16 = “/Library/Objective-See/Lulu”
$sec17 = “com.eset.remoteadministrator.agent”
$sec18 = “/Applications/CarbonBlack/CbOsxSensorService”
$sec19 = “/Applications/BlockBlock”
$sec20 = “/Applications/”
6 of them


The following were referenced throughout the above research:

Article Link: Emerging Threat! Exposing JOKERSPY | Elastic

1 post – 1 participant

Read full topic