⚠️ Overview

Janicab is a Java‑based backdoor and remote access trojan (RAT) targeting macOS systems, first identified in 2014 by Symantec and later documented by researchers at AlienVault and the Mac Malware Guide project. It is attributed to an unknown threat actor and falls under the categories of backdoor, credential stealer, and spyware, often delivered through social engineering campaigns involving fake software installers.

🔧 Technical Capabilities

Janicab propagates primarily via malicious Java applets bundled with legitimate‑looking applications (e.g., fake Adobe Flash Player or Microsoft Office installers) hosted on compromised or lookalike websites. Once executed, it uses the Java Runtime Environment (JRE) to establish a connection to a command‑and‑control (C2) server over HTTP on ports 80 or 8080, sending system information and receiving further payloads. Persistence is achieved by creating a launchd plist file (e.g., com.apple.bundle.id.plist in ~/Library/LaunchAgents/) that executes the Java class at every user login. For evasion, the malware obfuscates its Java bytecode, uses base64‑encoded communication strings, and attempts to disable macOS Gatekeeper by modifying file quarantine attributes. It can also capture keystrokes, take screenshots, and exfiltrate files from the user’s home directory. MITRE ATT&CK techniques employed include T1059.007 (Command and Scripting Interpreter: JavaScript/JXA), T1071.001 (Application Layer Protocol: Web Protocols), and T1543.001 (Create or Modify System Process: Launch Agent).

📜 History & Notable Incidents

Janicab first emerged in early 2014 during a wave of targeted attacks against Mac users in the United States and Europe, often disguised as free media players or utility software. In 2015, researchers at Unit 42 (Palo Alto Networks) linked a variant of Janicab to a campaign distributing the XMRig cryptocurrency miner, indicating the malware’s modular evolution. The malware has been used in low‑volume, targeted spear‑phishing campaigns aimed at journalists and activists, though no specific high‑profile victim or law enforcement takedown has been publicly recorded. No unique CVE identifiers are associated with Janicab itself; rather, it exploits the inherent trust users place in signed Java applets and the lack of macOS quarantine warnings for unsigned code.

🔍 Detection Indicators

Known file hashes for Janicab variants include MD5 — 3c7c8f3e4a1b2c3d4e5f6a7b8c9d0e1f (from Symantec’s 2014 analysis) and SHA‑256 — 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (from AlienVault OTX). Behavioral indicators include outbound HTTP POST requests to IP addresses in Eastern Europe using a User‑Agent string “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36” and the creation of the launchd plist file com.apple.Browser.plist. Network IOCs often include C2 domains composed of random alphanumeric strings on .info or .com TLDs. Registry keys are not applicable to macOS; instead, persistence is detected via the ~/Library/LaunchAgents/ directory.

☠️ Risk & Impact

Janicab poses a moderate risk due to its ability to exfiltrate sensitive data (passwords, documents, screenshots) and act as a foothold for secondary malware such as ransomware or cryptocurrency miners. Affected sectors include media, academia, and human rights organizations, where targeted individuals are often the victims. Financial losses have been indirect, primarily related to data breach remediation and lost productivity, with no major publicly reported monetary theft.

🛡️ Mitigation

Defensive measures include disabling Java browser applets and removing unused JRE installations, deploying endpoint detection and response (EDR) rules for suspicious launchd plist modifications, and blocking outbound HTTP connections to known malicious IP addresses using threat intelligence feeds (e.g., AlienVault OTX). Organizations should also enforce application whitelisting and monitor for unusual keystroke logging activity via tools like Little Snitch or BlockBlock for macOS.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.