SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.janicab (Back to overview)

Janicab

Actor(s): Evilnum

According to Patrick Wardle, this malware persists a python script as a cron job.
Steps:
1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'.
2. Appends its new job to this file.
3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.

References
2022-12-08KasperskyGReAT
DeathStalker targets legal entities with new Janicab variant
Janicab Janicab Stormwind
2022-05-31MalwarologyGaetano Pellegrino
Janicab Series: Attibution and IoCs
Janicab
2022-05-27MalwarologyGaetano Pellegrino
Janicab Series: The Core Artifact
Janicab
2022-05-26MalwarologyGaetano Pellegrino
Janicab Series: Further Steps in the Infection Chain
Janicab
2022-05-24MalwarologyGaetano Pellegrino
Janicab Series: First Steps in the Infection Chain
Janicab
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX POISONPLUG Rover ShadowPad SoreFang Winnti
2020-08-24Kaspersky LabsIvan Kwiatkowski, Maher Yamout, Pierre Delcher
Lifting the veil on DeathStalker, a mercenary triumvirate
EVILNUM Janicab Evilnum
2018-12-13Security 0wnageMo Bustami
POWERSING - From LNK Files To Janicab Through YouTube & Twitter
Janicab
2015-09-11MacMarkMarkus Möller
CSI MacMark: Janicab
Janicab
2013-07-22AvastPeter Kálnai
Multisystem Trojan Janicab attacks Windows and MacOSX via scripts
Janicab
2013-07-15F-SecureBroderick Aquilino
Signed Mac Malware Using Right-to-Left Override Trick
Janicab

There is no Yara-Signature yet.