xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign. In late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our diagnostic endpoint alerts that detected the execution of a binary ( xcc ).
The adversary’s steps to evade detection using xcc, installing the sh.py backdoor, and deploying enumeration toolsĪ deeper look at this attack may be published at a later date. How Elastic Security Labs identified reconnaissance from the adversary group. sh.py and xcc have recently been dubbed JOKERSPY by Bitdefender. This research article explores a recently discovered intrusion we’re calling REF9134, which involves using the sh.py backdoor to deploy the macOS Swiftbelt enumeration tool. Targets of this activity include a cryptocurrency exchange in Japan. 
REF9134 leverages custom and open source tools for reconnaissance and command and control.This is an initial notification of an active intrusion with additional details to follow.
0 kommentar(er)
