S0278 iKitten
iKitten is a macOS exfiltration agent 1.
| Item | Value |
|---|---|
| ID | S0278 |
| Associated Names | OSX/MacDownloader |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| OSX/MacDownloader | 1. |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | iKitten will zip up the /Library/Keychains directory before exfiltrating it.1 |
| enterprise | T1037 | Boot or Logon Initialization Scripts | - |
| enterprise | T1037.004 | RC Scripts | iKitten adds an entry to the rc.common file for persistence.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.001 | Keychain | iKitten collects the keychains on the system.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | iKitten saves itself with a leading “.” so that it’s hidden from users by default.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.002 | GUI Input Capture | iKitten prompts the user for their credentials.1 |
| enterprise | T1057 | Process Discovery | iKitten lists the current processes running.1 |
| enterprise | T1016 | System Network Configuration Discovery | iKitten will look for the current IP address.1 |