Security firm ESET says it analyses samples targeting macOS every day. These usually contain potentially unwanted applications that inject advertising into a browser session. But Keydnap is different – it steals the content of the macOS keychain (passwords) and maintains a permanent backdoor in the Mac. It communicates with a command and control server (C&C).
ESET says it has discovered how the ransomware was spread – via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on its official website. The file remained there for most of 28 and 29 August and ESET says anyone who downloaded Transmission v2.92 needs to check if they are infected.
Keydnap uses the same processes as KeRanger – in both cases, a malicious block of code is added to the main function of the Transmission application. And just like KeRanger, a legitimate code signing key was used to sign the malicious Transmission application bundle, and it is still signed by Apple and bypasses Gatekeeper protection.
Users should look for the presence of any of the following files or directories:
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
- /Library/Application Support/com.apple.iCloud.sync.daemon/
Keydnap won’t go away – ESET says that over the past few days it has evolved quickly from Version 1.0 to 1.5 and will keep maturing. The most significant change is the presence of a standalone Tor client that enables it to reach its onion-routed C&C server without the need of a Tor2Web relay.