Cyber Incident Victim: Unknown cryptocurrency exchange located in Japan
Date:
Jun 2023
Location:
Japan
Summary
An unknown Japanese cryptocurrency exchange was compromised by a sophisticated macOS backdoor known as JokerSpy. The attack involved a multi-architecture binary called xcc, which was used to bypass system privacy permissions, and led to the deployment of a Python implant and the Swiftbelt enumeration tool. The intrusion leveraged backdoored versions of legitimate software development applications to gain initial access, enabling the threat actors to gather data and execute commands on the compromised hosts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
An unknown cryptocurrency exchange located in Japan was targeted in an attack that commenced on or around June 1, 2023. The intrusion set, monitored by Elastic Security Labs under the name REF9134, led to the deployment of a macOS backdoor identified as JokerSpy. This sophisticated toolkit, first documented by Bitdefender, consists of a set of programs written in Python and Swift designed to gather data and execute arbitrary commands on compromised hosts. The primary target was a large Japan-based cryptocurrency service provider whose core business is the exchange of assets for trading Bitcoin, Ethereum, and other common cryptocurrencies. The specific name of the targeted company was not publicly disclosed.
The initial access vector for the attack involved the use of backdoored versions of software development applications. The threat actor leveraged three different applications to launch the attack: IntelliJ IDEA, iTerm, and Visual Studio Code. These applications were used to execute a multi-architecture binary file named xcc. This self-signed binary was engineered to check for FullDiskAccess and ScreenRecording permissions on the macOS system. In an attempt to masquerade as legitimate Apple security software, the xcc binary was signed with the identifier "XProtectCheck." This name is a direct reference to XProtect, the built-in signature-based antivirus technology within macOS, suggesting an effort by the attackers to appear benign and avoid detection.
Following its execution, the xcc binary was used by the threat actor in an attempt to bypass macOS Transparency, Consent, and Control (TCC) security framework permissions. The TCC framework protects user privacy by limiting applications' access to specific data and hardware without explicit user permission. The attackers attempted to subvert this protection by creating their own TCC database and trying to replace the existing system database. A successful bypass of TCC would have granted the attackers extensive access to sensitive data and system resources, including full disk access and the ability to record the screen.
On June 1, a new Python-based tool was observed executing from the same directory as the xcc binary. This tool was utilized to execute an open-source macOS post-exploitation enumeration tool known as Swiftbelt. Swiftbelt is a Swift-based tool inspired by an open-source utility called SeatBelt. Its purpose is to comprehensively enumerate system information from a compromised host. A notable characteristic of Swiftbelt is its method of operation; unlike other enumeration tools that may leave command-line artifacts, Swiftbelt invokes Swift code directly, allowing it to operate with a reduced forensic footprint and potentially evade detection based on command-line monitoring.
Another component installed during the attack was a Python implant identified as sh.py. This script functioned as a conduit to deliver additional post-exploitation tools, including Swiftbelt, onto the compromised system. The use of this multi-stage deployment method allowed the attackers to modularize their toolkit, bringing in specific capabilities as needed. The tools employed in this attack, including the xcc binary variants, were written using the Swift programming language, which is less commonly associated with malware and may contribute to evading traditional detection mechanisms that focus on other languages.
The ultimate impact of the intrusion on the cryptocurrency exchange's operations or any potential financial loss was not detailed in the public reporting. The extent of data exfiltration or whether customer assets were directly affected remains undisclosed. The public disclosure of the incident came from cybersecurity firms analyzing the attack methodology and tools rather than from the victim organization itself. The analysis provided by Elastic Security Labs focused on the technical aspects of the JokerSpy backdoor and the associated tools, detailing the attack chain and the capabilities the threat actor sought to achieve.
The response actions taken by the targeted cryptocurrency exchange were not described in the available information. The public reporting did not include specifics regarding how the incident was initially detected, what internal containment measures were enacted, or if any external incident response teams were engaged to assist. The narrative is constructed entirely from the technical analysis of the attack tools and methods as observed by third-party cybersecurity researchers. The threat actor behind the operation remains largely unknown, with very little information available about their identity or motivations beyond the tools and techniques used in this specific intrusion. The objective appeared to be espionage and data gathering, given the deployment of system enumeration tools and the focus on bypassing privacy controls to gain access to sensitive system information. The attack demonstrates a focused effort to compromise a financial services entity operating within the cryptocurrency sector using advanced techniques tailored for the macOS environment.