ATT&CK v14 has been released! Check out the blog post or release notes for more information.

iKitten

iKitten is a macOS exfiltration agent ^[1].

ID: S0278

ⓘ

Associated Software: OSX/MacDownloader

ⓘ

Type: MALWARE

ⓘ

Platforms: macOS

Version: 1.1

Created: 17 October 2018

Last Modified: 30 March 2020

Version Permalink

Live Version

Associated Software Descriptions

Name	Description
OSX/MacDownloader	^[1].

Techniques Used

Domain	ID		Name	Use
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	iKitten will zip up the /Library/Keychains directory before exfiltrating it.^[1]
Enterprise	T1037	.004	Boot or Logon Initialization Scripts: RC Scripts	iKitten adds an entry to the rc.common file for persistence.^[1]
Enterprise	T1555	.001	Credentials from Password Stores: Keychain	iKitten collects the keychains on the system.^[1]
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	iKitten saves itself with a leading "." so that it's hidden from users by default.^[1]
Enterprise	T1056	.002	Input Capture: GUI Input Capture	iKitten prompts the user for their credentials.^[1]
Enterprise	T1057		Process Discovery	iKitten lists the current processes running.^[1]
Enterprise	T1016		System Network Configuration Discovery	iKitten will look for the current IP address.^[1]

References

Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.