We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

New Malicious Toolkit "JokerSpy" Targeting macOS Systems

New Malicious Toolkit
Zane Kennedy Published on 23rd June 2023 Cybersecurity Researcher

In a recent discovery, cybersecurity researchers have uncovered a sophisticated toolkit known as "JokerSpy," which poses a significant threat to Apple macOS systems. Bitdefender, the cybersecurity firm that made the discovery, stated: "During routine detection maintenance, our Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit.”

This toolkit comprises three malicious components that exhibit advanced capabilities, including system infiltration, gathering system metadata, deleting files, executing commands and files, and data exfiltration.

The first two components of JokerSpy are generic Python-based backdoors designed to target Windows, Linux, and macOS operating systems. The initial backdoor, named "shared.dat," performs an operating system check upon execution, identifying the victim's platform. It establishes communication with a remote server to receive additional instructions, allowing it to execute various commands, gather system information, and download and execute files on the compromised machine.

Notably, on macOS devices, the backdoor writes Base64-encoded content to a file named "/Users/Shared/AppleAccount.tgz," subsequently unpacking and launching it as the "/Users/Shared/TempUser/AppleAccountAssistant.app" application.

The second backdoor, labeled "sh.py," is a more powerful and versatile component within the JokerSpy toolkit. It boasts cross-platform capabilities and is equipped with a comprehensive range of features, including system metadata gathering, file enumeration, file deletion, command and file execution, and encoded data exfiltration. This advanced backdoor stores its configuration options in the "~/Public/Safari/sar.dat" file, which it encodes using Base64.

Adding complexity to the attack, the researchers identified a third component called "xcc," a FAT binary written in Swift. Specifically targeting macOS Monterey (version 12) and newer versions, xcc checks for permissions related to potential spyware activities, such as capturing the screen.

It does not, however, contain the spyware component itself. Its purpose is to verify permissions managed by Apple's TCC (Transparency, Consent, and Control) framework, including Full Disk Access, Screen Recording, and Accessibility.

The identity of the threat actors behind JokerSpy remains unknown, as does the initial access method. Whether the toolkit involves social engineering techniques or spear-phishing campaigns to infiltrate target systems is still being determined.

The emergence of JokerSpy follows closely on the heels of the disclosure made by Kaspersky (a Russian cybersecurity company) regarding a sophisticated mobile campaign called Operation Triangulation, which has targeted iOS devices since 2019. This targeted attack sequence highlights escalating efforts to compromise Apple's ecosystem.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.