According to Patrick Wardle, this malware persists a python script as a cron job.
1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'.
2. Appends its new job to this file.
3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.
|2022-12-08 ⋅ Kaspersky ⋅ |
DeathStalker targets legal entities with new Janicab variant
Janicab Janicab Stormwind
|2022-05-31 ⋅ Malwarology ⋅ |
Janicab Series: Attibution and IoCs
|2022-05-27 ⋅ Malwarology ⋅ |
Janicab Series: The Core Artifact
|2022-05-26 ⋅ Malwarology ⋅ |
Janicab Series: Further Steps in the Infection Chain
|2022-05-24 ⋅ Malwarology ⋅ |
Janicab Series: First Steps in the Infection Chain
|2020-11-03 ⋅ Kaspersky Labs ⋅ |
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
|2020-08-24 ⋅ Kaspersky Labs ⋅ |
Lifting the veil on DeathStalker, a mercenary triumvirate
EVILNUM Janicab Evilnum
|2018-12-13 ⋅ Security 0wnage ⋅ |
POWERSING - From LNK Files To Janicab Through YouTube & Twitter
|2015-09-11 ⋅ MacMark ⋅ |
CSI MacMark: Janicab
|2013-07-22 ⋅ Avast ⋅ |
Multisystem Trojan Janicab attacks Windows and MacOSX via scripts
|2013-07-15 ⋅ F-Secure ⋅ |
Signed Mac Malware Using Right-to-Left Override Trick
There is no Yara-Signature yet.