Skip to content

S0163 Janicab

Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. 1

Item Value
ID S0163
Associated Names
Type MALWARE
Version 1.1
Created 14 December 2017
Last Modified 19 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture Janicab captured audio and sent it out to a C2 server.21
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron Janicab used a cron job for persistence on Mac devices.1
enterprise T1113 Screen Capture Janicab captured screenshots and sent them out to a C2 server.21
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.1

References

  1. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017. 

  2. Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017.