Register to stream ATT&CKcon 2.0 October 29-30


Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. [1]

ID: S0163
Platforms: macOS
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture Janicab captured audio and sent it out to a C2 server. [2] [1]
Enterprise T1116 Code Signing Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions. [1]
Enterprise T1168 Local Job Scheduling Janicab used a cron job for persistence on Mac devices. [1]
Enterprise T1113 Screen Capture Janicab captured screenshots and sent them out to a C2 server. [2] [1]