![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/06\/JokerSpy-malware-logo-600x300-1.jpg\"){kind=logo}
<\/p>\n<\/p>\n
In June, two research teams independently discovered a new Mac malware family, dubbed JokerSpy. One of the malware’s early stages includes a cross-platform component, hinting that variants of JokerSpy may also exist for Windows and Linux as well.<\/p>\n
Let’s explore what you need to know about this new Mac threat and how to stay protected.<\/p>\n
In this article:<\/em><\/p>\n Currently the initial infection vector (i.e. how the malware gets onto a Mac) is unknown.<\/p>\n Once deployed, the earliest known stage of the malware is a Python backdoor (filename Once a system is compromised and infected with malware like JokerSpy, the attacker effectively has a great degree of control over the system. With a backdoor, attackers can install additional components in the background, and could potentially run further exploits, monitor users’ behavior, steal login credentials or cryptocurrency wallets, and more.<\/a><\/p>\n Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate this Mac malware. Intego products detect components of this threat as OSX\/JokerSpy<\/strong>,\u00a0Python\/JokerSpy<\/strong>, or names similar to adware\/OSX\/Agent.jlejb<\/strong>.<\/p>\n If you believe your Mac may be infected\u2014or to prevent future infections\u2014use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.<\/p>\n Additionally, if you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from this and other PC malware.<\/p>\n VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.<\/a><\/span><\/p>\n JokerSpy is not known to be related to SysJoker<\/a>, which we wrote about in January 2022, but there are some coincidental similarities. Both are multi-platform backdoor malware families with components that can infect macOS, Windows, and Linux PCs. And interestingly, both are known to have used GitHub lookalike domains.<\/p>\n In the case of JokerSpy, the “joker” part of the name comes from the apparent username of its developer’s macOS login; “Spy” is also found in the same path string in one of JokerSpy’s macOS executable files: One research group noted<\/a> that a particular sample of JokerSpy malware “has a code signature resembling” a payload from the SmoothOperator Trojanized 3CX software<\/a> that Intego wrote about in April 2023.<\/a><\/p>\n The following SHA-256 hashes may relate to JokerSpy malware campaigns:<\/p>\n The following command-and-control (C&C) domains have reportedly been used in conjunction with this malware:<\/p>\n Network administrators can check recent network traffic logs to try to identify whether any computers on their network may have attempted to contact one of these domains, which could indicate a possible infection.<\/p>\n The first domain above was previously observed<\/a> in connection with “QRLog” Java RAT malware, according to researcher Mauro Eldritch in a February 2023 write-up. (The original analysis is no longer online; see the Bing cached version<\/a> and an Internet Archive backup<\/a> thereof.)<\/a><\/p>\n Other vendors’ names for threat components related to this malware campaign may include variations of the following, among others:<\/p>\n Adware.ADWARE\/OSX.Agent.gedwx, Adware.ADWARE\/OSX.Agent.jlejb, Adware\/Joker!OSX, Backdoor.Python.JokerSpy.a, Backdoor.Python.JokerSpy.b, HEUR:Trojan.OSX.JokerSpy.a, Joke:MacOS\/Multiverze, MacOS:Joker-B [Trj], OSX.Trojan.Gen, OSX\/JokerSpy-A, OSX\/Spy.Joker.A, Python:Joker-A [Trj], Python:Joker-B [Trj], Python\/Spy.Joker.A, Riskware.OSX.Agent.1!c, Trojan Horse, Trojan:Python\/PyJoker.AC, Trojan.MAC.JokerSpy.A (B), Trojan.MAC.JokerSpy.A [many], Trojan.MAC.JokerSpy.C (B), Trojan.OSX.JokerSpy.4!c, Trojan.Python.JokerSpy.A (B), Trojan.Python.JokerSpy.B (B), Trojan.Python.JokerSpy.C (B), Trojan.Script.JokerSpy.4!c, Trojan.Win32.FRS.VSNW15F23<\/span><\/a><\/p>\n For additional technical details about the JokerSpy malware, you can read Lapusneanu and Botezatu’s write-up<\/a> from June 16, and Wilhoit, Bitam, Goodwin, Pease, and Ungureanu’s write-up<\/a> from June 21.<\/p>\n We briefly discussed JokerSpy on episode 297<\/a> of the Intego Mac Podcast.<\/p>\n\n
What does JokerSpy Mac malware do?<\/h3>\n
sh.py<\/code>) that can be used to download additional components. On one infected system at a “prominent Japanese cryptocurrency exchange,” the malware was seen downloading SwiftBelt to gain additional capabilities. SwiftBelt<\/a> is a legitimate red-teaming tool developed by Cedric Owens, a Mac-focused offensive security engineer. Unfortunately, bad guys like JokerSpy’s distributors can use good guys’ tools for malicious purposes.<\/p>\nHow can one remove or prevent JokerSpy and other Mac malware?<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\")
<\/p>\nIs JokerSpy related to SysJoker?<\/h3>\n
\/Users\/joker\/Downloads\/Spy\/XProtectCheck\/<\/code><\/p>\nJokerSpy indicators of compromise (IoCs)<\/h3>\n
39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4\r\n5fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e9642272\r\n6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c\r\n8ca86f78f0c73a46f31be366538423ea0ec58089f3880e041543d08ce11fa626\r\n951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c\r\naa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1\r\nd895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8<\/pre>\n
git-hub[.]me\r\napp.influmarket[.]org<\/pre>\n
Is JokerSpy known by any other names?<\/h3>\n
How can I learn more?<\/h3>\n