A previously undocumented macOS backdoor bypassed Apple’s notarization process, ChillyHell, discovered by Jamf Threat Labs during a routine VirusTotal analysis.
Although first mentioned in a private 2023 Mandiant report linking it to UNC4487’s campaign against Ukrainian officials, this latest sample remains undetected by mainstream antivirus engines.
Significantly, the developer-signed payload passed Apple’s notarization in 2021 under TEAMID R868N47FV5 and maintained its trusted status until recently, exposing critical shortcomings in Apple’s notarization vetting.
ChillyHell masquerades as a legitimate applet bundle but omits any AppleScript companion in Contents/Resources/Scripts/, indicating that the bundle structure serves purely as camouflage.
The Mach-O x86_64 executable inside Contents/MacOS/applet initiates via a double-fork daemonization routine (OS::ForkyDaemon()), redirecting all standard I/O to /dev/null.
As a deception, it also opens a benign decoy URL (https://google.com) in the default browser to lull users into a false sense of security.
Advanced Reconnaissance Techniques
Upon execution, ChillyHell calls OS::StartupLogic(), performing extensive host profiling. It inventories local user accounts by running dscl -plist. -readall /Users RecordName UniqueID UserShell NFSHomeDirectory and captures environment variables ($HOME, $PATH, $SHELL).
Process enumeration follows via proc_listpids() and ps ax -o uid,pid, command to collect UID, PID, and command-line data for each running process.
To confirm its execution context, the backdoor executes whoami and _getuid(), mapping the UID to a user record or reverting to the whoami output if mapping fails. This detailed reconnaissance enables tailored tasking and privilege-aware persistence.
To evade detection, ChillyHell employs timestomping: it first attempts to call _utime() on created artifacts; if lacking permission, it shells out touch -c -a -t and touch -c -m -t using backdated timestamps.
On APFS volumes, this often results in modified birth timestamps, while the “change” timestamp reflects the manipulation time, complicating forensic timelines.
Robust Persistence Strategies
ChillyHell ensures long-term control through three distinct persistence mechanisms. In unprivileged contexts, StartupInstall::Install() writes a LaunchAgent plist at ~/Library/LaunchAgents/com.apple.qtop.plist and installs its binary to ~/Library/com.apple.qtop/qtop.
With elevated privileges, StartupInstall::ReplaceInstallWithElevatedRights() creates or replaces a LaunchDaemon plist at /Library/LaunchDaemons/com.apple.qtop.plist and deploys the binary to /usr/local/bin/qtop for boot-time execution.
As a fallback, StartupInstall::InstallToShell() injects a launch command into the user’s shell profile (.zshrc, .bash_profile, or .profile) via StartupInstall::InsertLineToShellRCIfNotExist(), ensuring execution on each new terminal session.
After persistence, TransportInit() establishes C2 communication by waiting for network reachability to 8.8.8.8 using Apple’s System Configuration framework, then populates a list of two hardcoded gate servers (93[.]88.75.252 and 148[.]72.172.53) on ports 53, 80, 1001, and 8080, supporting both DNS TXT and HTTP transports.
Within mainCycle(), tasks::getTasks() constructs DNS queries embedding OS identifier, group label “shadmins,” hardware UUID, and version markers, then parses responses for “TASK:” payloads.
ChillyHell deduplicates with Utils::pidExists(), dynamically instantiates modules (ModuleBackconnectShell, ModuleUpdater, ModuleLoader, ModuleSUBF), and sleeps a randomized 60–120 seconds between polling cycles.
ModuleSUBF conducts local Kerberos-focused password brute-forcing by parsing /etc/passwd, downloading a “kerberos” tool and wordlist, launching cracking processes per username, parsing good.txt for successful credentials, and cleaning up completed processes.
ChillyHell’s ability to persist under multiple contexts and maintain undetected operation despite notarization underscores the need for runtime behavioral monitoring alongside static code-signing checks.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
