JokerSpy is a multi-stage macOS spyware campaign described by BitDefender and Elastic, featuring a trojanized QR code generator (QRLog), cross-platform backdoors (shared.dat and sh.py), and a macOS stager (xcc). The actors show a likely financially motivated effort with tooling in Python, Java, and Swift aimed at organizations running macOS devices. #JokerSpy #QRLog #shared.dat #sh.py #SwiftBelt
Keypoints
- JokerSpy represents a multi-language, cross-platform macOS intrusion set targeting organizations with macOS fleets.
- QRLog is a trojanized Java-based QR code generator that decodes a base64 blob, writes it to disk, and executes it to contact a C2.
- The same campaign uses Python backdoors (shared.dat and sh.py) capable of beaconing, data exfiltration, and command execution across platforms.
- Shared.dat and QRLog share the same C2 infrastructure (e.g., git-hub.me) and use similar command/response patterns (GITHUB_RES, GITHUB_REQ).
- sh.py stores configuration under a dedicated path and reports host information back to a C2 (app.influmarket.org); it can drop SwiftBelt and surveil/modify the host.
- The JokerSpy family includes a macOS-specific component (xcc) masquerading as XProtect and leveraging SystemIdleTime queries to time activity.
MITRE Techniques
- [T1059.006] Java β QRLog uses a Java payload by decoding a base64 blob and executing it to reach out to a C2. β βThe decoded blob is a .java file that reaches out to a C2 at hxxps[:]//www[.]git-hub.me/view.php.β
- [T1059.004] Unix Shell β The prefTmp.java payload opens a reverse shell to the attacker. β βThe prefTmp.java files opens a reverse shell to the attacker.β
- [T1027] Obfuscated/Compressed Files β Shared.dat employs rot13 string obfuscation for its payloads. β βThe former uses a simple rot13 string obfuscation technique.β
- [T1082] System Information Discovery β sh.py/backdoor collects host information (cwd, user, host, domain, OS, Python version, path). β βCurrent working directory; Username; Hostname; Domain name; OS version; Python version; Path to sh.py.β
- [T1071.001] Web Protocols β C2 communications to the observed domains (git-hub.me, app.influmarket.org). β βreaches out to a C2 at hxxps[:]//www[.]git-hub.me/view.phpβ and βapp.influmarket[.]orgβ.
- [T1036] Masquerading β The JokerSpy xcc binary masquerades as a macOS XProtect component. β βIdentifier=XProtectCheck-β¦β
Indicators of Compromise
- [Identifiers] com.apple.xprotectcheck β used by the masquerading component
- [Domains] www.git-hub.me, app.influmarket.org β C2 and command channels
- [IP Addresses] 45.76.238.53, and 45.77.123.18 (obfuscated in text as 45[.]77].]123].]18)
- [Files (SHA1)] 1ed2c5ee95ab77f8e1c1f5e2bd246589526c6362 β xcc; 1f99081affd7bef83d44e0072eb860d515893698 β SwiftBelt; 21ffda8a6a05a007ef92088f99ab54485cfe473d β xcc; 2234c9fc3c3d340f0367c49c6599379b96544b5a β QRCodeWriter.java; 370a0bb4177eeebb2a75651a8addb0477b7d610b β xcc; 76b790eb3bed4a625250b961a5dda86ca5cd3a11 β xcc; 937a9811b3e5482eb8f96832454723d59229f945 β shared.dat; bd8626420ecfd1ab5f4576d83be35edecd8fa70e β sh.py; c304aef96a783a39aedf1af30de5d5f1c33c68ca β QRLog sample.zip; c7d6ede0f6ac9f060ae53bb1db40a4fbe96f9ceb β shared.dat
- [Paths] /Users/Shared/AppleAccount.tgz; /Users/Shared/TempUser/AppleAccountAssistant.app; $TEMP/p.dat; $TEMP/prefTmp.java; ~/Public/Safari/sar.dat; /Users/shared/sb; /Users/shared/sb.log