Key takeaways,
- This is an initial notification of an active intrusion with additional details to follow
- REF9134 leverages custom and open source tools for reconnaissance and command and control
- Targets of this activity include a cryptocurrency exchange in Japan
To identify other binaries signed with the same identifier, we converted XProtectCheck-55554944f74096a836b73310bd55d97d1dff5cd4 to hexadecimal and searched VirusTotal to identify 3 additional samples (content:{5850726f74656374436865636b2d35353535343934346637343039366138333662373333313062643535643937643164666635636434}).
Each contained the same core functionality with structural differences. These discrepancies may indicate that these variants of xcc were developed to bypass endpoint capabilities that interfered with execution.
Shortly after the creation of xcc, researchers observed the threat actor copying /Users/Shared/tcc.db over the existing TCC database, /Library/Application Support/com.apple.TCC/TCC.db. This may enable the threat to avoid TCC prompts visible to system users while simultaneously abusing a directory with broad file write permissions.
,Upon successfully executing in our Detonate environment, the following results were displayed:
,Once the custom TCC database was placed in the expected location, the threat actor executed the xcc binary.
Initial access,The xcc binary was executed via bash by three separate processes
- /Applications/IntelliJ IDEA.app/Contents/MacOS/idea
- /Applications/iTerm.app/Contents/MacOS/iTerm2
- /Applications/Visual Studio Code.app/Contents/MacOS/Electron.
While we are still investigating and continuing to gather information, we strongly believe that the initial access for this malware was a malicious or backdoored plugin or 3rd party dependency that provided the threat actor access. This aligns with the connection that was made by the researchers at Bitdefender who correlated the hardcoded domain found in a version of the sh.py backdoor to a Tweet about an infected macOS QR code reader which was found to have a malicious dependency.
,As part of its periodic beaconing, the malware gathers and transmits various system information. The information sent includes:
- Hostname
- Username
- Domain name
- Current directory
- The absolute path of the executable binary
- OS version
- Is 64-bit OS
- Is 64-bit process
- Python version
Below is a table outlining the various commands that can be handled by the backdoor:
| Command | Description |
|---|---|
| sk | Stop the backdoor's execution |
| l | List the files of the path provided as parameter |
| c | Execute and return the output of a shell command |
| cd | Change directory and return the new path |
| xs | Execute a Python code given as a parameter in the current context |
| xsi | Decode a Base64-encoded Python code given as a parameter, compile it, then execute it |
| r | Remove a file or directory from the system |
| e | Execute a file from the system with or without parameter |
| u | Upload a file to the infected system |
| d | Download a file from the infected system |
| g | Get the current malware's configuration stored in the configuration file |
| w | Override the malware's configuration file with new values |
strings:
$str1 = "ScreenRecording: NO" fullword
$str2 = "Accessibility: NO" fullword
$str3 = "Accessibility: YES" fullword
$str4 = "eck13XProtectCheck"
$str5 = "Accessibility: NO" fullword
$str6 = "kMDItemDisplayName = *TCC.db" fullword
condition:
5 of them
}rule MacOS_Hacktool_Swiftbelt {
meta:
author = “Elastic Security”
creation_date = “2021-10-12”
last_modified = “2021-10-25”
threat_name = “MacOS.Hacktool.Swiftbelt”
reference_sample = “452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1”
os = “macos”
arch_context = “x86”
license = “Elastic License v2”
strings:
$dbg1 = "SwiftBelt/Sources/SwiftBelt"
$dbg2 = "[-] Firefox places.sqlite database not found for user"
$dbg3 = "[-] No security products found"
$dbg4 = "SSH/AWS/gcloud Credentials Search:"
$dbg5 = "[-] Could not open the Slack Cookies database"
$sec1 = "[+] Malwarebytes A/V found on this host"
$sec2 = "[+] Cisco AMP for endpoints found"
$sec3 = "[+] SentinelOne agent running"
$sec4 = "[+] Crowdstrike Falcon agent found"
$sec5 = "[+] FireEye HX agent installed"
$sec6 = "[+] Little snitch firewall found"
$sec7 = "[+] ESET A/V installed"
$sec8 = "[+] Carbon Black OSX Sensor installed"
$sec9 = "/Library/Little Snitch"
$sec10 = "/Library/FireEye/xagt"
$sec11 = "/Library/CS/falcond"
$sec12 = "/Library/Logs/PaloAltoNetworks/GlobalProtect"
$sec13 = "/Library/Application Support/Malwarebytes"
$sec14 = "/usr/local/bin/osqueryi"
$sec15 = "/Library/Sophos Anti-Virus"
$sec16 = "/Library/Objective-See/Lulu"
$sec17 = "com.eset.remoteadministrator.agent"
$sec18 = "/Applications/CarbonBlack/CbOsxSensorService"
$sec19 = "/Applications/BlockBlock Helper.app"
$sec20 = "/Applications/KextViewr.app"
condition:
6 of them
}References,
The following were referenced throughout the above research:
Article Link: Emerging Threat! Exposing JOKERSPY | Elastic