ChillyHell macOS Backdoor

MITRE Techniques

• [T1082] System Information Discovery – ChillyHell collects user accounts, environment variables ($HOME, $PATH, $SHELL) and hardware UUID via functions like Utils::GetUsers() and other profiling routines (“…queries the local directory service to enumerate all user accounts…” translated quote in English)
• [T1057] Process Discovery – Uses proc_listpids() and parses process uid, pid and command-line arguments via Utils::ParsePSCommand to enumerate running processes (“…programmatically retrieve all active PIDs…capture uid, pid and command-line arguments for every process…” translated quote in English)
• [T1136] Create Account / T1543.003] Create or Modify System Process: Launch Daemon – Installs persistence as a LaunchDaemon writing /Library/LaunchDaemons/com.apple.qtop.plist and placing the binary at /usr/local/bin/qtop (“…writes a plist to /Library/LaunchDaemons/com.apple.qtop.plist and places a copy of the main binary at /usr/local/bin/qtop…” translated quote in English)
• [T1543.001] Create or Modify System Process: Launch Agent – Installs persistence as a LaunchAgent at ~/Library/LaunchAgents/com.apple.qtop.plist and drops binary at ~/Library/com.apple.qtop/qtop (“…writes a plist to ~/Library/LaunchAgents/com.apple.qtop.plist and drops its main binary at ~/Library/com.apple.qtop/qtop…” translated quote in English)
• [T1165] Masquerading – Uses an app bundle structure without legitimate AppleScript resources to disguise the executable (“…packaged as applet.app, it does not function as a legitimate macOS applet…omits any scripts…” translated quote in English)
• [T1070.006] Indicator Removal on Host: Timestomping – Updates file timestamps using _utime() or touch commands to backdate artifacts (“…replaces their associated timestamps to reduce suspicion…calls to _utime()…fallback using touch -c -a -t and touch -c -m -t…” translated quote in English)
• [T1105] Ingress Tool Transfer – ModuleLoader and ModuleUpdater download payloads from C2 (writes to /tmp/kworker or replaces binary) and execute them (“…downloads a payload…writes it to /tmp/kworker and then attempts to execute it…ModuleUpdater: downloads a new version…replaces the current binary and restarts itself…” translated quote in English)
• [T1021.002] Remote Services: SSH – Earlier related sample variants included an SSH server compiled in; ChillyHell supports backconnect shells via sockets and pty for interactive access (“…spawns a pseudo-terminal using forkpty() and relays input/output over the socket to maintain an interactive reverse shell…” translated quote in English)
• [T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – Uses HTTP(S) transport (type 2) to query C2 for tasks via QueryHTTP() (“…Calls QueryHTTP() to fetch tasks from a remote server over standard HTTP(S)…” translated quote in English)
• [T1071.004] Application Layer Protocol: DNS – Uses DNS TXT queries to receive encoded task data via QueryTXTRecords() (“…Calls QueryTXTRecords() to retrieve encoded task data via DNS TXT record lookups…” translated quote in English)
• [T1110] Brute Force – ModuleSUBF downloads a brute-force tool (./kerberos) and wordlists to attempt password cracking against local user accounts, writing successes to good.txt (“…executes the downloaded ./kerberos binary…successful guesses are likely written…to a file named good.txt…” translated quote in English)