The ChillyHell malware is actually an old acquaintance. Despite this fact, the piece of software discovered by Mandiant in 2023 continues to fly under the radar. A new report from Jamf Threat Labs aims to change this.
The new Jamf report delves deep into the malware and its associated cyber attacker, which we will continue to refer to as ‘ChillyHell’ for convenience. This was the name chosen by Mandiant, although the entity is also known as UNC4487 and the malware as MATANBUCHUS.
Not a real applet
ChillyHell is not an applet, i.e., a script on macOS that behaves like an executable file. It does appear to be one, however, thanks to its applet.app naming. After the applet ensures its own survival via a command & control (C2) connection, ChillyHell starts collecting data. Initially, this is a superficial profiling of the environment in which it finds itself. The malware then installs itself as a LaunchAgent or LaunchDaemon. If this does not work, it activates when the terminal is opened.
ChillyHell proves difficult to detect because it removes artifacts that would otherwise reveal the malware’s presence. Its malicious activity also remains largely secret: the malware randomly goes into sleep mode and communicates via various protocols. “ChillyHell is remarkably flexible,” according to the Jamf researchers. It is modular in nature, knows how to crack passwords, and removes evidence of its own existence.
Read also: Hackers abuse DNS for malware
Indicators of Compromise
Fortunately, there are Indicators of Compromise that macOS-using organizations can check for. Jamf’s research team was able to compile these with the help of Google Threat Intelligence and Apple, which, according to the former, acted quickly to provide assistance.
The telltale signs in plaintext, which would be visible in the logs on macOS:
1 ARCHIVE/APP:
2
3 d83216abbcb331aa1bfa12a69996ca12cc5c6289 (applet.zip)
4 6a144aa70128ddb6be28b39f0c1c3c57d3bf2438 (applet.app/Contents/MacOS/applet)
5 TEAMID: R868N47FV5 (Notarized App Bundle)
6
7 IP:
8
9 93[.]88.75.252
10 148[.]72.172.53
11
12 PATH:
13
14/Users//Library/LaunchAgents/com.apple.qtop.plist 15 /Users//Library/com.apple.qtop/qtop
16
17 /Library/LaunchDaemons/com.apple.qtop.plist
18 /usr/local/bin/qtop
19
20 /tmp/kworker
21
22 MANDIANT DISCOVERED ARCHIVE/APP:
23
24 e2037eac2a8ec617a76c15067856580c8b926b37 (eDrawMaxBeta2023.zip)
25 c52e03b9a9625023a255f051f179143c4c5e5636
(eDrawMaxBeta2023.app/Contents/MacOS/eDrawMaxBeta)
26 TEAMID: F645668Q3H (Notarized App Bundle)
27
28 785eb7488b4b077d31b05a9405c8025e38c1626f (chrome_render.zip)
29 87dcb891aa324dcb0f4f406deebb1098b8838b96
(chrome_render.app/Contents/MacOS/chrome_render)
30 TEAMID: R868N47FV5 (Non-Notarized App Bundle)
31
32