"ChillyHell is not an applet, i.e., a script on macOS that behaves like an executable file. It does appear to be one, however, thanks to its applet.app naming. After the applet ensures its own survival via a command & control (C2) connection, ChillyHell starts collecting data. Initially, this is a superficial profiling of the environment in which it finds itself. The malware then installs itself as a LaunchAgent or LaunchDaemon. If this does not work, it activates when the terminal is opened."
"ChillyHell proves difficult to detect because it removes artifacts that would otherwise reveal the malware's presence. Its malicious activity also remains largely secret: the malware randomly goes into sleep mode and communicates via various protocols. "ChillyHell is remarkably flexible," according to the Jamf researchers. It is modular in nature, knows how to crack passwords, and removes evidence of its own existence."
ChillyHell, also tracked as UNC4487 and MATANBUCHUS, targets macOS and masquerades as an applet via applet.app naming. It establishes command-and-control (C2) connectivity to persist, then profiles the host environment and collects data. Persistence is achieved through LaunchAgent or LaunchDaemon installation, or activation upon opening the terminal if installation fails. The malware removes forensic artifacts, intermittently sleeps to avoid detection, communicates over multiple protocols, and supports modular plugins including password-cracking capabilities. Indicators of Compromise are available for macOS environments, with Google Threat Intelligence and Apple providing assistance to compile detectable telltale signs and hashes.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]