Thought Leadership
Jamf’s Threat Labs team has identified a new variant of the macOS malware family “ChillyHell”, which was previously only documented in limited specialist circles. The malware continues to operate with a valid Apple developer signature from 2021 and thus remained undetected by antivirus solutions for a long time.
The newly discovered ChillyHell variant presents itself as a C++-based backdoor for Intel Macs and pretends to be a legitimate macOS applet without offering any corresponding functions. The modular design of the malware family allows attackers to load various malicious functions: from remote access to the injection of additional payloads and brute force attacks on passwords.
To disguise itself, the new variant uses unusual techniques such as timestomping, a method of manipulating file timestamps that is rare among macOS malware. In addition, the malware dynamically switches between different command-and-control protocols, which makes it even more difficult to detect.
Origins with state-supported hackers
ChillyHell was first linked to the UNC4487 cyber group targeting Ukrainian government officials in a confidential Mandiant report in 2023. Among other things, the attackers used the compromised website of a Ukrainian car insurance company, which was used by government employees for business trips, to spread the related malware MATANBUCHUS.
Both the new ChillyHell variant and MATANBUCHUS use identical Apple signature certificates. This is a clear indication of joint developers or close cooperation between the malware authors.
Notarization as a security gap
The fact that the ChillyHell variant has had a valid Apple notarization for years makes it particularly dangerous. Apple’s Gatekeeper system and many security solutions automatically classify signed software as trustworthy. Jamf security expert Thomas Mueller comments: “This variant drastically demonstrates that an Apple signature is no guarantee for secure code.”
Protective measures for companies
IT administrators should rethink their security architecture and implement additional layers of protection that also analyze signed software for anomalous behavior. Jamf recommends increased network monitoring and regular behavioral analysis to identify certified malware.
(lb/jamf)
