Fragments of Cross-Platform Backdoor Hint at Larger Mac OS Attack

Researchers identified three malicious components—two Python backdoors (shared.dat and sh.py) and a Swift Mach-O binary (xcc)—that form fragments of a cross-platform toolkit targeting macOS (and also Windows/Linux). The backdoors use UID-based C2 packets, base64-encoded commands and payloads, platform-specific execution (including on-macOS unpack-and-run and on-Linux compile-and-execute), while xcc performs macOS TCC permission checks likely for a missing spyware payload. #JokerSpy #shared.dat #sh.py #xcc #macOS

Keypoints

Three components were found: shared.dat (Python backdoor), sh.py (more feature-rich Python backdoor), and xcc (Swift Mach-O binary checking macOS permissions).
shared.dat generates a UID, creates a temp file named .dat, and communicates with C2 using custom packets prefixed by GITHUB_REQ or GITHUB_RES plus the UID.
shared.dat supports four cmdType commands (501: system info collection; 502: command execution via subprocess; 503: platform-specific payload deployment and execution; 504: self-terminate).
sh.py stores base64-encoded settings in ~/Public/Safari/sar.dat (including two Server URLs), generates a 9-digit UID, and supports many remote commands for file listing, execution, upload/download, and settings management.
On macOS, xcc (FAT/ Mach-O) checks TCC permissions—Full Disk Access, Screen Recording (CGPreflightScreenCaptureAccess), Accessibility (AXIsProcessTrusted)—and obtains the frontmost application, implying it prepares for a spyware component that was not present.
Linux DownExec behavior involves writing received C code to tmp.c, compiling to /tmp/.ICE-unix/git (using cc or gcc depending on distro), and executing it with C2-supplied parameters.
IOCs include multiple SHA-1s for the files and a hardcoded C2 URL (https://www.git-hub.me/view.php); Bitdefender detections label the Python components Trojan.Python.JokerSpy and Mach-O binaries as Trojan.MAC.JokerSpy.

MITRE Techniques

[T1059.006] Python – Use of Python scripts to implement backdoor functionality and remote command execution via subprocess ‘The cmdExec function … run a specific command provided as an argument using the subprocess.Popen function.’
[T1027] Obfuscated Files or Information – Strings and paths obfuscated with rot13 to hide values ‘uses rot13 substitution to hide the values of specific file paths and strings.’
[T1071.001] Application Layer Protocol: Web Protocols – Custom packet format over web-like requests prefixed by GITHUB_RES/GITHUB_REQ for C2 communication ‘These packets start with either GITHUB_RES or GITHUB_REQ + the UID generated…’
[T1105] Ingress Tool Transfer – DownExec writes received payloads to disk and unpacks/executes them on victims (e.g., AppleAccount.tgz on macOS or compilation of tmp.c on Linux) ‘the function writes a file to /Users/Shared/AppleAccount.tgz … It unpacks the archive … then opens …AppleAccountAssistant.app.’
[T1041] Exfiltration Over C2 Channel – Backdoors send collected system information and file contents to the server, often base64-encoded ‘When the backdoor receives a cmdType 501 command, it extracts details … These details are also written to a file …’
[T1082] System Information Discovery – Collection of hostname, username, OS version and other environment details ‘extracts details such as Current Time, Username, Hostname, OS Version…’
[T1083] File and Directory Discovery – Listing files and metadata via remote “l” command and reading files for exfiltration ‘ “l” -> files listing (path, size, access times, permissions) ‘
[T1132] Data Encoding – Use of base64 to encode commands, payloads and file transfers between C2 and malware ‘The request contains the command encoded as base64 and the results are encoded using the same method.’

Indicators of Compromise

[File hash] Python and Mach-O samples – bd8626420ecfd1ab5f4576d83be35edecd8fa70e (sh.py), 937a9811b3e5482eb8f96832454723d59229f945 (shared.dat), and 4 more hashes.
[File name] Malicious components observed – shared.dat, sh.py, xcc (Mach-O / FAT binary).
[URL] Hardcoded C2 – https://www.git-hub.me/view.php (C2 referenced by shared.dat).
[Detection name] AV labels used in article – Trojan.Python.JokerSpy (Python components), Trojan.MAC.JokerSpy (Mach-O binaries).

The shared.dat backdoor is a generic cross-platform Python implant that generates a unique UID, creates a temporary file named .dat, and enters a persistent loop to contact a C2 using custom packet prefixes (GITHUB_REQ/GITHUB_RES plus the UID). It supports four numeric cmdType operations: 501 collects system information (time, username, hostname, OS version and outputs of ifconfig/ps or ipconfig/tasklist) and writes results to a file (e.g., b.dat); 502 (CmdExec) runs base64-encoded commands using subprocess.Popen and returns base64-encoded output; 503 (DownExec) behaves per-OS — on macOS it writes a base64-encoded archive to /Users/Shared/AppleAccount.tgz, unpacks it to /Users/Shared and launches /Users/Shared/TempUser/AppleAccountAssistant.app, while on Linux it writes received C source to tmp.c, compiles to /tmp/.ICE-unix/git using cc or gcc depending on distro, and executes it with parameters from C2; 504 simply terminates the script. Data and commands are consistently base64-encoded for transport.

The sh.py component stores its configuration base64-encoded in ~/Public/Safari/sar.dat (including UID, SleepCycleMin and up to two ServerUrl entries), can take a server URL at runtime, and maintains a main loop that polls C2 and dispatches process_command actions. Supported remote commands include file listing (“l”), arbitrary command execution (“c”), directory change (“cd”), execute via exec (“xs” and base64-encoded “xsi”), file/remove operations (“r”, “u”, “d”), remote settings retrieval (“g”), and settings update (“w”). It also implements get_basic_information to enumerate host details and attempts connection to the primary server URL, falling back to a secondary URL if needed.

The xcc binary is a Swift-built Mach-O (FAT in one sample) targeting macOS 12+, containing x86 and/or ARM slices and an ad-hoc signature; its role is to verify macOS TCC permissions before employing a likely omitted spyware module. xcc checks Full Disk Access, verifies Accessibility via AXIsProcessTrusted, requests screen capture permission with CGPreflightScreenCaptureAccess(), and identifies the frontmost application via the frontmostApplication property, indicating it prepares to capture or monitor the active user context. Overall, the three components form complementary capabilities—C2 comms, command execution, payload deployment/compilation, settings management, and macOS permission checks—consistent with fragments of a larger, incomplete attack framework.