iKitten

iKitten is a macOS exfiltration agent ^[1].

ID: S0278

ⓘ

Associated Software: OSX/MacDownloader

ⓘ

Type: MALWARE

ⓘ

Platforms: macOS

Version: 1.1

Created: 17 October 2018

Last Modified: 30 March 2020

Associated Software Descriptions

Name	Description
OSX/MacDownloader	^[1].

Techniques Used

Domain	ID		Name	Use
Enterprise	T1555	.001	从密码存储中获取凭证: Keychain	iKitten collects the keychains on the system.^[1]
Enterprise	T1037	.004	启动或登录初始化脚本: RC Scripts	iKitten adds an entry to the rc.common file for persistence.^[1]
Enterprise	T1560	.001	归档收集数据: Archive via Utility	iKitten will zip up the /Library/Keychains directory before exfiltrating it.^[1]
Enterprise	T1016		系统网络配置发现	iKitten will look for the current IP address.^[1]
Enterprise	T1056	.002	输入捕获: GUI Input Capture	iKitten prompts the user for their credentials.^[1]
Enterprise	T1057		进程发现	iKitten lists the current processes running.^[1]
Enterprise	T1564	.001	隐藏伪装: Hidden Files and Directories	iKitten saves itself with a leading "." so that it's hidden from users by default.^[1]

References

Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.