Mac Malware ‘Keydnap’ opens Backdoor, Captures Keychain Passwords

Following a dormant existence, malware for Mac has returned, with 3 freshly found variants which manage to hijack Webcams, access password keychains along with quite every other component of the system they infect. This Trojan dubbed Keydnap as well as identified as OSX/Keydnap has just arrived to destruct Mac machines. It was first observed during May this year (2016) as ver.1.3.1 and subsequently during June as ver.1.3.5.

When delivered, the Keydnap Trojan is one condensed Mac O files having either of the .jpg or .txt filenames wherein there's certain concealed space character that pushes its launch on computers. The modus-operandi of the malware is quite simple no matter that the infection series occurs through several stages.

To work, Keydnap first pulls down one other component that's its real backdoor. Thereafter, it runs that component (or the backdoor) that automatically gets planted as LaunchAgent for acquiring persistence during booting, followed with pulling down the .txt or .jpg file it pretended to be, while displaying the same to the PC operator.

Having done these, Kednap's malicious activity begins when although it's limited to the current operator, it attempts at acquiring root privileges via producing a popup that asks for the operator's credentials.

Thereafter, the Trojan dumps Mac Keychain's content utilizing Project Keychaindump's (one GitHub project) code to create certain connection with a Tor online site through a proxy named onion.to Tor2Web. The content of the Keychain gets uploaded onto the command-and-control infrastructure through HTTPS.

Now in addition to seizing passwords, Keydnap on the contaminated Mac as well pulls down files hosted on URLs in the remote and runs the same; pulls down Python scripts and runs them; issues shell commands whose results it reports back; as well as makes the backdoor up-to-date with one fresh edition.

If the Mac PC has its installation configurations adjusted, then too the system can be hijacked with certain stubborn backdoor called icloudsyncd, along with keychain password capturer. Virusguides.com posted this, July 7, 2016.

Keydnap doesn't abuse vulnerabilities at OS X-level. Mac computers that have default settings too have security settings safeguarding them by aborting active software of unfamiliar developers.

» SPAMfighter News - 7/11/2016