Experts found components of a complex toolkit employed in macOS attacks


Bitdefender recently discovered a collection of harmful tools with backdoor capabilities specifically targeting Apple MacOS systems. Bitdefender researchers analysed several malware samples that were submitted to VirusTotal by an anonymous victim and realised that these samples have low detection rates and limited available information. There could be a possibility of your Mac contacting a virus. Click on this link to know how to scan and remove it.

Among the malware samples, two Python-based backdoors were identified. They are called JokerSpy in Bitdefender's report and can attack Windows, Linux, and macOS.

The first backdoor, named shared.dat, checks the operating system and connects to the hackers' server to get more instructions. It can collect system information, execute commands, download and run files, and shut down the computer. On Macs, it writes encoded content to a file called AppleAccount.tgz, which is then unpacked and launched as an application.

On Linux, the backdoor checks the Linux distribution and creates a temporary file with C code, which is compiled into another file using specific commands.

The researchers also found a more powerful backdoor called, which can collect system data, search and delete files, execute commands and files sent by hackers, and steal data.

Additionally, there is a macOS-specific binary called "FAT binary" that checks permissions before using a potential spyware component, likely to capture the screen but doesn't contain the actual spyware component. The experts believe that the discovered files are part of a more sophisticated attack.

The exact origin of these malware samples and the initial infection method is still unknown. It is believed that social engineering or targeted phishing attacks were likely involved. Be informed that having a hide VPN is among the first steps to take to avoid data breaches.