REF9134 is an intrusion into a large Japan-based cryptocurrency service provider focusing on asset exchange for trading Bitcoin, Ethereum, and other common cryptocurrencies. On June 1st a new Python-based tool was seen executing from the same directory as xcc and was utilized to execute an open-source macOS post-exploitation enumeration tool known as Swiftbelt. While this detection in itself was not necessarily innocuous, the industry vertical and additional activity we observed following these initial alerts caught our eye and caused us to pay closer attention.įollowing the execution of xcc, we observed the threat actor attempting to bypass TCC permissions by creating their own TCC database and trying to replace the existing one. xcc is not trusted by Apple, and the adversary self-signed using the native macOS tool codesign. In late May of 2023, an adversary with existing access in a prominent Japanese cryptocurrency exchange tripped one of our diagnostic endpoint alerts that detected the execution of a binary ( xcc ). The adversary’s steps to evade detection using xcc, installing the sh.py backdoor, and deploying enumeration toolsĪ deeper look at this attack may be published at a later date.How Elastic Security Labs identified reconnaissance from the adversary group.sh.py and xcc have recently been dubbed JOKERSPY by Bitdefender. This research article explores a recently discovered intrusion we’re calling REF9134, which involves using the sh.py backdoor to deploy the macOS Swiftbelt enumeration tool. Targets of this activity include a cryptocurrency exchange in Japan. REF9134 leverages custom and open source tools for reconnaissance and command and control.This is an initial notification of an active intrusion with additional details to follow.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |