{ "id": "3ef160f2-da92-4ff3-94c9-d812ed77fd4f", "created_at": "2026-04-06T00:09:00.570516Z", "updated_at": "2026-04-10T03:24:29.09902Z", "deleted_at": null, "sha1_hash": "35218a707e2b5162679179473d6dc043b3d6b8e1", "title": "The Safe Mac » New signed malware called Janicab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 161825, "plain_text": "The Safe Mac » New signed malware called Janicab\r\nArchived: 2026-04-05 16:00:00 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20230331162455/https://www.thesafemac.com/new-signed-malware-called-janicab/\r\nPublished July 15th, 2013 at 2:27 PM EDT , modified July 16th, 2013 at 8:11 PM EDT\r\nF-Secure announced the discovery today of a new trojan, which they have named Janicab. This malware makes\r\nuse of a familiar old trick – disguising an application as a document to trick the user into opening it – but applies a\r\ncouple newer twists. At this time, the built in defenses in Mac OS X will allow this trojan to run without much in\r\nthe way of warnings, so users are advised to be on their guard.\r\nThe first new twist that makes this malware unique in the Mac world is the use of a right-to-left override (RLO)\r\ncharacter in the name. What this character does is tell the system that the characters that follow should be\r\ndisplayed right-to-left, instead of left-to-right as is standard for the English language. Otherwise, the character is\r\ninvisible.\r\nSo why does this matter? Because it allows the hacker to hide the fact that the document is actually an application!\r\nThe file is named “RecentNews.?fdp.app”, where the ‘?’ indicates the presence of the RLO character. This means\r\nthat the Finder will want to display the name as “RecentNews.ppa.pdf”. In addition, the hackers used the old trick\r\nof marking the extension as being hidden, and the system knows the extension is “.app” regardless of how the\r\nFinder wants to display the name. Therefore, the name is actually displayed as “RecentNews.pdf”. This, plus the\r\nAdobe Acrobat icon given to the application, makes the app look like an innocent PDF file.\r\n(As an interesting side note, I have observed that if I place the file on my desktop, the name gets wrapped in the\r\nmiddle of the “extension” based on my settings. When wrapped like this, the file’s name displays as\r\n“RecentNews.fdp”. Perhaps a text encoding expert could explain that one… it seems a bit like voodoo to me! 🙂 )\r\nhttps://web.archive.org/web/20230331162455/https://www.thesafemac.com/new-signed-malware-called-janicab/\r\nPage 1 of 3\n\nThe second new twist, only exhibited previously by the\r\nrecent KitM (aka Hackback) malware, is that the app is signed. Thus, the system will allow it to run unimpeded, as\r\nlong as you approve it on the first run. Although that’s a fairly serious issue in principle, if the victim is paying\r\nattention, he/she will notice something strange is going on, as most of the text in the warning will be backwards!\r\nStill, a lot of people are in the habit of just clicking whatever they need to click to make something work without\r\nreading the details of what they’re agreeing to. So it’s easily conceivable that someone would click the Open\r\nbutton without ever noticing the discrepancy.\r\nWhen run, the trojan opens a document to avoid causing further suspicion. The astute observer will notice that the\r\nAcrobat icon will remain in the Dock and an additional PDF reader will be opened (Preview for most), which\r\nshould tip off the user that something’s not right. Again, though, many people aren’t paying that close attention, or\r\nmay not understand the implications of that. In the meantime, while the document is loading up, it does other\r\nnasty things before quitting.\r\nAccording to F-Secure’s post, the app installs a number of components\r\nin an invisible folder in the user’s home folder (named “.t”, where the initial period tells the system to hide the\r\nhttps://web.archive.org/web/20230331162455/https://www.thesafemac.com/new-signed-malware-called-janicab/\r\nPage 2 of 3\n\nfolder) and creates a cron job to keep components running. Presumably it uses cron since that is older technology\r\nthat has been abandoned in favor of launchd. Because other malware has used launchd recently, many users may\r\nalready be aware of how to check for rogue launch agents and launch daemons, but because of its relative\r\nobscurity today, most will probably not know how to check for or disable a cron job.\r\nOnce installed, this malware locates its command \u0026 control server by searching a few specific places for specific\r\ntext that contains an IP address. After contacting the C\u0026C server, it begins taking screenshots and recording audio,\r\nuploading that to the server and polling the server for other commands to run.\r\nAt this time, Janicab is not detected by most anti-virus software, and it slips right past the built-in defenses of Mac\r\nOS X in the hands of an unobservant or unsavvy user. This makes it very dangerous. Further, seeing other\r\nmalware using a signed app is troubling, as it may indicate that Gatekeeper will not offer as much security as had\r\nbeen hoped for.\r\nRemoval should be fairly easy. However, you need to take great care. Be sure you have up-to-date backups of all\r\nyour data, then read the instructions below carefully and follow them precisely!\r\nThe following command should be copied and pasted into the Terminal (which is found in the Utilities folder in\r\nthe Applications folder). Do not try to re-type this command! A simple typo as simple as a space added in the\r\nwrong place could have disastrous consequences. Also, note that this will remove all cron jobs. That is the default\r\nstate in Mountain Lion (Mac OS X 10.8), but much earlier versions of Mac OS X may differ (though I don’t know\r\nyet what versions of Mac OS X this malware is capable of infecting), and of course if you have created your own\r\ncron jobs, this will disrupt them.\r\ncrontab -r;rm -rf ~/.t\r\nOnce you have run this command, log out to ensure that all the malicious processes still loaded into memory are\r\nterminated. When you log back in, the malware should be gone.\r\nUpdates\r\nJuly 16, 2013: Looks like the developer certificate used to sign this trojan has already been revoked. I just tested\r\nit, and trying to open the app now results in only two choices: cancel or move it to the trash.\r\nTags: Gatekeeper, Janicab, Mac OS X, malware, trojan\r\nSource: https://web.archive.org/web/20230331162455/https://www.thesafemac.com/new-signed-malware-called-janicab/\r\nhttps://web.archive.org/web/20230331162455/https://www.thesafemac.com/new-signed-malware-called-janicab/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20230331162455/https://www.thesafemac.com/new-signed-malware-called-janicab/" ], "report_names": [ "new-signed-malware-called-janicab" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434140, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35218a707e2b5162679179473d6dc043b3d6b8e1.pdf", "text": "https://archive.orkl.eu/35218a707e2b5162679179473d6dc043b3d6b8e1.txt", "img": "https://archive.orkl.eu/35218a707e2b5162679179473d6dc043b3d6b8e1.jpg" } }