Keydnap malware opens backdoor, goes after passwords in OS X keychain

ESET researchers have revealed the existence of another new piece of malware aimed at Mac machines and users: Keydnap.

Keydnap has the ability to steal passwords and keys stored in the victim’s OS X keychain, and to establish a permanent backdoor into the system, allowing the attacker to update the malware or uninstall it, download and execute files and Python scripts from a URL, and request administrator privileges the next time the user runs an application.

But Keydnap is unusual and fascinating for several reasons.

One: its keychain-stealing mechanism has been lifted from a proof-of-concept example hosted on Github. Two: the researchers still don’t known how it’s distributed, i.e. how the victims are exposed to it.

Three, the initial downloader cleverly bypasses multiple OS X security mechanisms.

“What we know is that a downloader component is distributed in a .zip file. The archive file contains a Mach-O executable file with an extension that looks benign, such as .txt or .jpg. However, the file extension actually contains a space character at the end, which means double-clicking the file in Finder will launch it in Terminal and not Preview or TextEdit,” researcher Marc-Etienne M. Léveillé explained.

“The ZIP also contains the Resource fork that contains the icon of the executable file. It mimics the icon Finder usually applies to JPEG or text files to increase the likelihood the recipient will double-click the file. Once started, a Terminal window opens and the malicious payload is executed.”

Four: it’s unclear if the victims are randomly chosen or targeted. The downloader comes in the seeming form of an image or a text file, apparently containing things like interview questions, CVs, credit card dumps, and screenshots botnet C&C panels.

ESET researchers posit that perhaps the targets are users of underground forums or security researchers.

It’s also unknown how many users have fallen victim to the malware.