xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign. ![]() In late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our diagnostic endpoint alerts that detected the execution of a binary ( xcc ). The adversary’s steps to evade detection using xcc, installing the sh.py backdoor, and deploying enumeration toolsĪ deeper look at this attack may be published at a later date.How Elastic Security Labs identified reconnaissance from the adversary group.sh.py and xcc have recently been dubbed JOKERSPY by Bitdefender. ![]() This research article explores a recently discovered intrusion we’re calling REF9134, which involves using the sh.py backdoor to deploy the macOS Swiftbelt enumeration tool. Targets of this activity include a cryptocurrency exchange in Japan.REF9134 leverages custom and open source tools for reconnaissance and command and control.This is an initial notification of an active intrusion with additional details to follow.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |