JokerSpy backdoor Mac malware discovered in the wild

Posted on June 23rd, 2023 by Joshua Long

In June, two research teams independently discovered a new Mac malware family, dubbed JokerSpy. One of the malware’s early stages includes a cross-platform component, hinting that variants of JokerSpy may also exist for Windows and Linux as well.

Let’s explore what you need to know about this new Mac threat and how to stay protected.

In this article:

What does JokerSpy Mac malware do?
How can one remove or prevent JokerSpy and other Mac malware?
Is JokerSpy related to SysJoker?
JokerSpy indicators of compromise (IoCs)
Is JokerSpy known by any other names?
How can I learn more?

What does JokerSpy Mac malware do?

Currently the initial infection vector (i.e. how the malware gets onto a Mac) is unknown.

Once deployed, the earliest known stage of the malware is a Python backdoor (filename sh.py) that can be used to download additional components. On one infected system at a “prominent Japanese cryptocurrency exchange,” the malware was seen downloading SwiftBelt to gain additional capabilities. SwiftBelt is a legitimate red-teaming tool developed by Cedric Owens, a Mac-focused offensive security engineer. Unfortunately, bad guys like JokerSpy’s distributors can use good guys’ tools for malicious purposes.

Once a system is compromised and infected with malware like JokerSpy, the attacker effectively has a great degree of control over the system. With a backdoor, attackers can install additional components in the background, and could potentially run further exploits, monitor users’ behavior, steal login credentials or cryptocurrency wallets, and more.

How can one remove or prevent JokerSpy and other Mac malware?

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this Mac malware. Intego products detect components of this threat as OSX/JokerSpy, Python/JokerSpy, or names similar to adware/OSX/Agent.jlejb.

If you believe your Mac may be infected—or to prevent future infections—use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.

Additionally, if you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from this and other PC malware.

VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.

Is JokerSpy related to SysJoker?

JokerSpy is not known to be related to SysJoker, which we wrote about in January 2022, but there are some coincidental similarities. Both are multi-platform backdoor malware families with components that can infect macOS, Windows, and Linux PCs. And interestingly, both are known to have used GitHub lookalike domains.

In the case of JokerSpy, the “joker” part of the name comes from the apparent username of its developer’s macOS login; “Spy” is also found in the same path string in one of JokerSpy’s macOS executable files: /Users/joker/Downloads/Spy/XProtectCheck/

One research group noted that a particular sample of JokerSpy malware “has a code signature resembling” a payload from the SmoothOperator Trojanized 3CX software that Intego wrote about in April 2023.

JokerSpy indicators of compromise (IoCs)

The following SHA-256 hashes may relate to JokerSpy malware campaigns:

39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4
5fe1790667ee5085e73b054566d548eb4473c20cf962368dd53ba776e9642272
6d3eff4e029db9d7b8dc076cfed5e2315fd54cb1ff9c6533954569f9e2397d4c
8ca86f78f0c73a46f31be366538423ea0ec58089f3880e041543d08ce11fa626
951039bf66cdf436c240ef206ef7356b1f6c8fffc6cbe55286ec2792bf7fe16c
aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1
d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8

The following command-and-control (C&C) domains have reportedly been used in conjunction with this malware:

git-hub[.]me
app.influmarket[.]org

Network administrators can check recent network traffic logs to try to identify whether any computers on their network may have attempted to contact one of these domains, which could indicate a possible infection.

The first domain above was previously observed in connection with “QRLog” Java RAT malware, according to researcher Mauro Eldritch in a February 2023 write-up. (The original analysis is no longer online; see the Bing cached version and an Internet Archive backup thereof.)

Is JokerSpy known by any other names?

Other vendors’ names for threat components related to this malware campaign may include variations of the following, among others:

Adware.ADWARE/OSX.Agent.gedwx, Adware.ADWARE/OSX.Agent.jlejb, Adware/Joker!OSX, Backdoor.Python.JokerSpy.a, Backdoor.Python.JokerSpy.b, HEUR:Trojan.OSX.JokerSpy.a, Joke:MacOS/Multiverze, MacOS:Joker-B [Trj], OSX.Trojan.Gen, OSX/JokerSpy-A, OSX/Spy.Joker.A, Python:Joker-A [Trj], Python:Joker-B [Trj], Python/Spy.Joker.A, Riskware.OSX.Agent.1!c, Trojan Horse, Trojan:Python/PyJoker.AC, Trojan.MAC.JokerSpy.A (B), Trojan.MAC.JokerSpy.A [many], Trojan.MAC.JokerSpy.C (B), Trojan.OSX.JokerSpy.4!c, Trojan.Python.JokerSpy.A (B), Trojan.Python.JokerSpy.B (B), Trojan.Python.JokerSpy.C (B), Trojan.Script.JokerSpy.4!c, Trojan.Win32.FRS.VSNW15F23

How can I learn more?

For additional technical details about the JokerSpy malware, you can read Lapusneanu and Botezatu’s write-up from June 16, and Wilhoit, Bitam, Goodwin, Pease, and Ungureanu’s write-up from June 21.

We briefly discussed JokerSpy on episode 297 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:

JokerSpy logo images based on: “Jester- Joker Card” by GoShows (CC BY 2.0) and “Matrix – iPhone Background” by Patrick Hoesly (CC BY 2.0); both images modified.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →

Share