JokerSpy

Summary
A dangerous piece of malware attributed to a nation-state
Class
Spyware
Class Summary
Spyware is a type of malware designed to collect information covertly from your device. It can record keystrokes, capture screenshots, or monitor browsing habits. If spyware is detected on your system, change all passwords and enable multi-factor authentication on sensitive accounts. Consult with a security specialist as spyware often has deep system access, making complete removal critical.
Description

Attributed to the BlueNoroff APT group, JokerSpy was first spotted targeting a cryptocurrency exchange in Japan. The malware employs a variety of backdoors to deploy spyware on compromised systems and uses open-source tools for reconnaissance. Its Python-scripted backdoors enable dynamic configuration loading and command execution, allowing for a diverse set of malicious actions. In addition to evaluating system permissions, JokerSpy is known to abuse TCC (Transparency, Consent, and Control). It may also deploy SwiftBelt, an open-source macOS post-exploitation toolset commonly used in red teaming exercises.

References
Example Hashes
  • 937a9811b3e5482eb8f96832454723d59229f945
    VirusTotal
  • c7d6ede0f6ac9f060ae53bb1db40a4fbe96f9ceb
    VirusTotal
  • bd8626420ecfd1ab5f4576d83be35edecd8fa70e
    VirusTotal
  • 370a0bb4177eeebb2a75651a8addb0477b7d610b
    VirusTotal
  • 1ed2c5ee95ab77f8e1c1f5e2bd246589526c6362
    VirusTotal
  • 76b790eb3bed4a625250b961a5dda86ca5cd3a11
    VirusTotal
  • 1f99081affd7bef83d44e0072eb860d515893698
    VirusTotal