S0466 WindTail
WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.123
| Item | Value |
|---|---|
| ID | S0466 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 June 2020 |
| Last Modified | 20 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | WindTail has the ability to use HTTP for C2 communications.3 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | WindTail has the ability to use the macOS built-in zip utility to archive files.3 |
| enterprise | T1119 | Automated Collection | WindTail can identify and add files that possess specific file extensions to an array for archiving.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | WindTail can use the open command to execute an application.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | WindTail has the ability to decrypt strings using hard-coded AES keys.2 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | WindTail has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.3 |
| enterprise | T1083 | File and Directory Discovery | WindTail has the ability to enumerate the users home directory and the path to its own application bundle.23 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | WindTail can instruct the OS to execute an application without a dock icon or menu.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | WindTail has the ability to receive and execute a self-delete command.3 |
| enterprise | T1036 | Masquerading | WindTail has used icons mimicking MS Office files to mask payloads.2 |
| enterprise | T1036.001 | Invalid Code Signature | WindTail has been incompletely signed with revoked certificates.2 |
| enterprise | T1106 | Native API | WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.3 |
| enterprise | T1027 | Obfuscated Files or Information | WindTail can be delivered as a compressed, encrypted, and encoded payload.3 |
| enterprise | T1124 | System Time Discovery | WindTail has the ability to generate the current date and time.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0112 | Windshift | 123 |
References
-
Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. ↩↩
-
Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 1). Retrieved October 3, 2019. ↩↩↩↩↩↩↩↩↩
-
Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. ↩↩↩↩↩↩↩↩↩↩