⌘+c malware smacks Macs, drains keychains, pours over Tor

Targets those who tone down Mac security

More malware capable of pilfering Mac keychain passwords and shipping them over Tor has been turned up, less than a day after a similar rare trojan was disclosed.

Dubbed Keydnap, the malware is delivered as a compressed Mach-O file with a txt or jpg extension, with a hidden space character which causes it to launch in terminal.

The good news: Keydnap isn't exploiting OS X-level bugs, and default Macs are protected by security settings that prevent programs running from unknown developers.

Users who adjust their program installation settings, however, could find their machines compromised by a persistent backdoor dubbed icloudsyncd and the keychain password stealer.

Eset researcher Marc-Eteinne M.Leveille (@marc_etienne_) says in analysis the malware author ripped the keychain functionality from a Github proof-of-concept that software developer Juuso Salonen crafted in 2012.

"[Keydnap] is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X’s keychain," M.Leveille says.

"The author simply took a proof-of-concept [that] … reads securityd’s memory and searches for the decryption key for the user’s keychain. "

It deploys a textbook malware trick and throws a decoy document or image file according to the chosen extension ruse.

Some of those decoys are screenshots of botnet and command and control panels indicating that it may be targeted security crime researchers or rival criminals, both of who would be ordinarily interested in the decoys.

The use of build types in file names such as ccshop add to this theory.

M.Leveille does not know how many victims the malware has claimed nor the method of delivery, be it phishing or drive-by-download.

"There are a few missing pieces to this puzzle; we do not know at this point how Keydnap is distributed, nor do we know how many victims there are out there," he says.

It comes as Bitdefender technical leader Tiberius Axinte yesterday revealed malware capable of hijacking Macs which masquerades as an app dubbed EasyDoc Converter.

That malware also used Tor for data exfiltration and malware command and control. ®

Broader topics

Other stories you might like

  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022