WindTail

WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.[1][2][3]

ID: S0466
Type: MALWARE
Platforms: macOS
Version: 1.1
Created: 04 June 2020
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WindTail has the ability to use HTTP for C2 communications.[3]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

WindTail has the ability to use the macOS built-in zip utility to archive files.[3]

Enterprise T1119 Automated Collection

WindTail can identify and add files that possess specific file extensions to an array for archiving.[3]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

WindTail can use the open command to execute an application.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

WindTail has the ability to decrypt strings using hard-coded AES keys.[2]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

WindTail has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.[3]

Enterprise T1083 File and Directory Discovery

WindTail has the ability to enumerate the users home directory and the path to its own application bundle.[2][3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

WindTail can instruct the OS to execute an application without a dock icon or menu.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

WindTail has the ability to receive and execute a self-delete command.[3]

Enterprise T1036 Masquerading

WindTail has used icons mimicking MS Office files to mask payloads.[2]

.001 Invalid Code Signature

WindTail has been incompletely signed with revoked certificates.[2]

Enterprise T1106 Native API

WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.[3]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

WindTail can be delivered as a compressed, encrypted, and encoded payload.[3]

Enterprise T1124 System Time Discovery

WindTail has the ability to generate the current date and time.[2]

Groups That Use This Software

ID Name References
G0112 Windshift

[1][2][3]

References