WindTail

WindTail is a malware developed and delivered by the WindShift APT group and mostly targets government agencies and companies in the Middle East. WindShift will infect a user with WindTail by using a spear phishing emails, either by attachment or linking to crafted webpage that will exploit a vulnerability in the system to install the malware. As described by Taha Karim research “The Trails of WINDSHIFT APT”, about WindShit APT group, such an attack will occur after 1-2 years of reconnaissance on a targeted user.

Source: Dark Matter

The malware samples are signed with a legitimate Apple Certificate and is thus able to bypass GateKeeper.

Source: CheckPoint

When executed, the malware adds itself as a LoginItem in order to persist on the system:

Source: Objective-See

In addition the malware will try to download and execute additional malware using the curl command.

Source: CheckPoint

Links:

analyzing WindShift’s implant: OSX.WindTail
IN THE TRAILS OF WINDSHIFT APT

Samples:
70a1c4ed3a09a44a41d54c4fd4b409a5fc3159f6

Share this: