SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.janicab (Back to overview)

Janicab

Actor(s): Evilnum

According to Patrick Wardle, this malware persists a python script as a cron job.
Steps:
1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'.
2. Appends its new job to this file.
3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.

References
2022-12-08KasperskyGReAT
@online{great:20221208:deathstalker:a171c50, author = {GReAT}, title = {{DeathStalker targets legal entities with new Janicab variant}}, date = {2022-12-08}, organization = {Kaspersky}, url = {https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/}, language = {English}, urldate = {2022-12-14} } DeathStalker targets legal entities with new Janicab variant
Janicab Janicab Stormwind
2022-05-31MalwarologyGaetano Pellegrino
@online{pellegrino:20220531:janicab:f2b2798, author = {Gaetano Pellegrino}, title = {{Janicab Series: Attibution and IoCs}}, date = {2022-05-31}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/}, language = {English}, urldate = {2022-05-31} } Janicab Series: Attibution and IoCs
Janicab
2022-05-27MalwarologyGaetano Pellegrino
@online{pellegrino:20220527:janicab:f14d487, author = {Gaetano Pellegrino}, title = {{Janicab Series: The Core Artifact}}, date = {2022-05-27}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/}, language = {English}, urldate = {2022-05-29} } Janicab Series: The Core Artifact
Janicab
2022-05-26MalwarologyGaetano Pellegrino
@online{pellegrino:20220526:janicab:92c671c, author = {Gaetano Pellegrino}, title = {{Janicab Series: Further Steps in the Infection Chain}}, date = {2022-05-26}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/}, language = {English}, urldate = {2022-05-29} } Janicab Series: Further Steps in the Infection Chain
Janicab
2022-05-24MalwarologyGaetano Pellegrino
@online{pellegrino:20220524:janicab:c04ed61, author = {Gaetano Pellegrino}, title = {{Janicab Series: First Steps in the Infection Chain}}, date = {2022-05-24}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/}, language = {English}, urldate = {2022-05-29} } Janicab Series: First Steps in the Infection Chain
Janicab
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-08-24Kaspersky LabsIvan Kwiatkowski, Pierre Delcher, Maher Yamout
@online{kwiatkowski:20200824:lifting:fd3c725, author = {Ivan Kwiatkowski and Pierre Delcher and Maher Yamout}, title = {{Lifting the veil on DeathStalker, a mercenary triumvirate}}, date = {2020-08-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/deathstalker-mercenary-triumvirate/98177/}, language = {English}, urldate = {2020-08-25} } Lifting the veil on DeathStalker, a mercenary triumvirate
EVILNUM Janicab Evilnum
2018-12-13Security 0wnageMo Bustami
@online{bustami:20181213:powersing:2a7b1db, author = {Mo Bustami}, title = {{POWERSING - From LNK Files To Janicab Through YouTube & Twitter}}, date = {2018-12-13}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html}, language = {English}, urldate = {2020-08-25} } POWERSING - From LNK Files To Janicab Through YouTube & Twitter
Janicab
2015-09-11MacMarkMarkus Möller
@online{mller:20150911:csi:56aa614, author = {Markus Möller}, title = {{CSI MacMark: Janicab}}, date = {2015-09-11}, organization = {MacMark}, url = {https://www.macmark.de/blog/osx_blog_2013-08-a.php}, language = {German}, urldate = {2020-05-19} } CSI MacMark: Janicab
Janicab
2013-07-22AvastPeter Kálnai
@online{klnai:20130722:multisystem:907e0a4, author = {Peter Kálnai}, title = {{Multisystem Trojan Janicab attacks Windows and MacOSX via scripts}}, date = {2013-07-22}, organization = {Avast}, url = {https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/}, language = {English}, urldate = {2020-05-20} } Multisystem Trojan Janicab attacks Windows and MacOSX via scripts
Janicab
2013-07-15F-SecureBroderick Aquilino
@online{aquilino:20130715:signed:013bd1d, author = {Broderick Aquilino}, title = {{Signed Mac Malware Using Right-to-Left Override Trick}}, date = {2013-07-15}, organization = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/00002576.html}, language = {English}, urldate = {2020-05-19} } Signed Mac Malware Using Right-to-Left Override Trick
Janicab

There is no Yara-Signature yet.