OSX.Keydnap
OSX.Keydnap is a MacOS X based Trojan horse that steals passwords from the iCloud Keychain[1] of the infected machine. It uses a dropper to establish a permanent backdoor while exploiting MacOS vulnerabilities and security features like Gatekeeper, iCloud Keychain and the file naming system. It was first detected in early July 2016 by ESET researchers, who also found it being distributed through a compromised version of Transmission Bit Torrent Client.[2]
Technical details
Download and installation
Establishing the backdoor connection
Since the downloader is not persistent, the downloaded backdoor component spawns a process named "icloudsyncd" that runs at all times. It also adds an entry to the LaunchAgents directory to survive reboots. The icloudsyncd process is used to communicate with a command & control server via an onion.to address, establishing the backdoor.[3]
It then attempts to capture passwords from the iCloud Keychain, using the proof-of-concept Keychaindump,[4] and transmits them back to the server. Keychaindump reads securityd’s memory and searches for the decryption key for the user’s keychain as described in “Keychain Analysis with Mac OS X Memory Forensics” by K. Lee and H. Koo.[5]
Gatekeeper signing workaround
Mac OS uses Gatekeeper to verify if an application is signed with a valid Apple Developer ID certificate preventing OSX.Keydnap from running. Further, even if the user does have Gatekeeper turned off, they will see a warning that the file is an application downloaded from the Internet giving the user an option to not execute the application. However, by packing OSX.Keydnap with a legitimate signing key as in the case of the compromised Transmission app, it successfully bypasses Gatekeeper protection.[2][3]
Detection and removal
Activating Gatekeeper is an easy way to prevent accidental installation of OSX.Keydnap. If the user's Mac has Gatekeeper activated, the malicious file will not be executed and a warning will be displayed to the user. This is because the malicious Mach-O file is unsigned, which automatically triggers a warning in Gatekeeper.[3] Users who have been infected by the compromised Transmission app or disabling Gatekeeper are able to remove this malware infection with Spyware Doctor.[6]
References
- ↑ Reed, Thomas (July 13, 2016). "Mac malware OSX.Keydnap steals keychain". Malwarebytes. https://blog.malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-steals-keychain/.
- ↑ 2.0 2.1 Research, ESET (August 30, 2016). "OSX/Keydnap spreads via signed Transmission application". ESET. http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/.
- ↑ 3.0 3.1 3.2 Léveillé, Marc-Etienne (July 6, 2016). "New OSX/Keydnap malware is hungry for credentials". ESET. http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/.
- ↑ Salonen, Juuso (September 5, 2015). "A proof-of-concept tool for reading OS X keychain passwords". https://github.com/juuso/keychaindump.
- ↑ Lee, Kyeongsik; Koo, Hyungjoon (July 1, 2012). "Keychain Analysis with Mac OS X Memory Forensics". https://forensic.n0fate.com/wp-content/uploads/2012/07/Keychain-Analysis-with-Mac-OS-X-Memory-Forensics.pdf.
- ↑ Spyware Doctor, macOS malware research (August 30, 2016). "Keydnap - Threat Details". iBoostUp. https://iboostup.com/spyware-doctor/research/infection/Trojan.Keydnap.
 |  |
