This article is more than 1 year old

⌘+c malware smacks Macs, drains keychains, pours over Tor

Targets those who tone down Mac security

More malware capable of pilfering Mac keychain passwords and shipping them over Tor has been turned up, less than a day after a similar rare trojan was disclosed.

Dubbed Keydnap, the malware is delivered as a compressed Mach-O file with a txt or jpg extension, with a hidden space character which causes it to launch in terminal.

The good news: Keydnap isn't exploiting OS X-level bugs, and default Macs are protected by security settings that prevent programs running from unknown developers.

Users who adjust their program installation settings, however, could find their machines compromised by a persistent backdoor dubbed icloudsyncd and the keychain password stealer.

Eset researcher Marc-Eteinne M.Leveille (@marc_etienne_) says in analysis the malware author ripped the keychain functionality from a Github proof-of-concept that software developer Juuso Salonen crafted in 2012.

"[Keydnap] is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X’s keychain," M.Leveille says.

"The author simply took a proof-of-concept [that] … reads securityd’s memory and searches for the decryption key for the user’s keychain. "

It deploys a textbook malware trick and throws a decoy document or image file according to the chosen extension ruse.

Some of those decoys are screenshots of botnet and command and control panels indicating that it may be targeted security crime researchers or rival criminals, both of who would be ordinarily interested in the decoys.

The use of build types in file names such as ccshop add to this theory.

M.Leveille does not know how many victims the malware has claimed nor the method of delivery, be it phishing or drive-by-download.

"There are a few missing pieces to this puzzle; we do not know at this point how Keydnap is distributed, nor do we know how many victims there are out there," he says.

It comes as Bitdefender technical leader Tiberius Axinte yesterday revealed malware capable of hijacking Macs which masquerades as an app dubbed EasyDoc Converter.

That malware also used Tor for data exfiltration and malware command and control. ®

More about


Send us news

Other stories you might like