Finder window with the ZIP and the malicious
jpg file on Mac OSX
Eset probes new credentials-stealing Trojan
DUBAI, July 14, 2016
Researchers at Eset, a pioneer in the antivirus industry, have been looking into OSX/Keydnap, a Trojan stealing passwords and keys out of OSX keychains by creating a permanent backdoor.
While still not clear how victims become exposed, it is thought that it could be spread via attachments in spam messages, downloads from untrusted websites or other vectors.
Keydnap downloader is distributed as a .zip file with executable file mimicking the icon Finder usually applied to JPEG or text files. This increases the likelihood that the recipient will double-click the file. Once started, a Terminal window opens and the malicious payload is executed.
At this point the backdoor is setup and the malware begins gathering and exfiltrating basic information about the Mac it’s running on. Upon request from its C&C server, Keydnap can ask for administrative privileges by opening the usual window OS X uses for that purpose. If the victim enters their credentials, the backdoor will then run as root, with the content of the victim’s keychain exfiltrated.
“While there are multiple security mechanisms in place within OS X to mitigate malware, as we see here, it’s possible to deceive the user into executing non-sandboxed, malicious code. All OS X users should remain vigilant as we still do not know how Keydnap is distributed, nor how many victims are out there,” said Marc-Etienne M Léveillé, malware researcher at Eset. – TradeArabia News Service