Keydnap malware goes after your Mac password treasure trove

A new breed of Mac malware not only targets your passwords, but also creates a permanent backdoor into your PC.

apple-mac-malware-keychain-zdnet.jpg
Symantec

Researchers have revealed a new kind of Mac malware discovered in the wild which burrows its way into PCs with the aim of stealing your passwords.

According to ESET researchers, the malware, dubbed Keydnap, focuses on stealing the content of Apple OS X keychains and installs a permanent backdoor into a victim's system.

The malware has several unusual features. If downloaded, the malware appears within a .zip file which contains an executable disguised as an innocent .txt or .jpg file. However, the file extension contains a space character at the end, and so if the file is double-clicked, it opens in the Terminal app rather than Preview or Text Edit to execute the payload.

A backdoor is then created and a decoy document pulled from the web or created using a base64-encoded embedded file replaces the downloader component, helping to disguise the malware's activities.

The backdoor will add an entry to the LaunchAgents directory and stay persistent even on reboot.

Once the backdoor is set and remote attackers have gained entry into the system -- which also allows them to hijack sessions and spy on victims -- the malware then targets the OS X keychain to gather and steal passwords and keys stored within.

This component, lifted by the developer from a GitHub repository called Keychaindump, then searches the Apple securityd's memory (.PDF) for the decryption key to the keychain.

In order to gain root access to the machine, Keydnap will also attempt to trick the user into handing over their account credentials. The researchers say:

"Keydnap will spawn a window asking for the user's credentials, exactly like the one OS X users usually see when an application requires admin privileges.

If the victim falls for this and enters their credentials, the backdoor will henceforth run as root and the content of the victim's keychain will be exfiltrated."

When the user's credentials have been accessed, the malware uses Tor to report back to the attacker's C&C server and forward this information on as well as receive fresh commands.

The researchers are not sure how victims become exposed to the malware, but it may be through phishing campaigns, malicious email attachments or downloads from suspicious websites. If Gatekeeper is active on the target machine, the file will not execute and a warning is displayed to the user.

ESET says that multiple samples of Keydnap suggests that users of underground forums or perhaps even security researchers are being targeted, due to screenshots of botnet command and control (C&C) panels and credit card number dumps embedded in some decoy documents.

It is not known how many victims there are.

On Thursday, Bitdefender said that another new piece of Mac malware, Eleanor, also installs backdoors to compromise Apple PCs.