Fragments of Unusual Backdoor Suggest a Potential Large-Scale Mac OS Attack

• Researchers at Bitdefender have uncovered a set of backdoor files that hint at a potential large-scale Mac OS attack.
• The xcc files are of particular interest, carrying an ad-hoc signature and targeting MacOS version 12 and newer.

During routine detection maintenance, cybersecurity researchers at Bitdefender have stumbled upon a unique set of backdoor files with potential ties to a larger, more complex malware toolkit. As of now, these samples remain largely undetected, and there’s very little information available about them. The earliest mention of these files was identified in an anonymous April 18 upload on VirusTotal​.

Among the files discovered, one is named shared.dat and operates as a Python backdoor. It uses rot13 substitution to conceal specific file paths and strings, generating a unique device identifier for later use in communications with a remote command and control center. It supports commands to extract basic info, execute specific commands, run scripts, and self-terminate​.

Another file, sh.py, appears to be a more potent backdoor counterpart, also written in Python. It can handle specific commands such as file listing, command execution, directory changes, and data writing and reading. The backdoor also extracts specific details about the system, such as hostname, username, and OS version​.

The third component, xcc, is a FAT binary containing Mach-O files for two architectures, x86 Intel and ARM M1, written in Swift and targeting MacOS version 12 and newer. Its primary function is to check permissions before using a potential spyware component. The absence of the spyware component within the discovered files suggests these are part of a more complex attack with several files potentially missing from the system under investigation​.

The xcc files carry an ad-hoc signature, meaning they are not associated with a recognized Apple Developer. The identifier of the file contains the keyword XProtectCheck, and a path identified inside the file content, /Users/joker/Downloads/Spy/XProtectCheck/, which hints at the project’s purpose and the role of this component​.

The command-and-control server associated with the backdoor is hardcoded in the share.dat Python file. The first reference to this domain dates back to February 10, 2023, around the same time it was mentioned in a series of tweets related to an infected MacOS QR code reader, QRLog​.

Bitdefender’s detection systems flag the Python components as Trojan.Python.JokerSpy, and the Mach-O binaries are detected as Trojan.MAC.JokerSpy​¹​. The cybersecurity firm is continuing its investigations to identify the remaining puzzle pieces in this potential attack. The company urges users to update their security software and maintain vigilance when downloading files from unverified sources.