ESET researchers have been looking into OSX/Keydnap, a Trojan stealing passwords and keys out of OSX keychains by creating a permanent backdoor. While still not clear how victims become exposed, it is thought that it could be spread via attachments in spam messages, downloads from untrusted websites or other vectors.
Keydnap downloader is distributed as a .zip file with executable file mimicking the icon Finder usually applied to JPEG or text files. This increases the likelihood that the recipient will double-click the file. Once started, a Terminal window opens and the malicious payload is executed.
At this point the backdoor is setup and the malware begins gathering and exfiltrating basic information about the Mac it’s running on. Upon request from its C&C server, Keydnap can ask for administrative privileges by opening the usual window OS X uses for that purpose. If the victim enters their credentials, the backdoor will then run as root, with the content of the victim’s keychain exfiltrated.
“While there are multiple security mechanisms in place within OS X to mitigate malware, as we see here, it’s possible to deceive the user into executing non-sandboxed, malicious code. All OS X users should remain vigilant as we still do not know how Keydnap is distributed, nor how many victims are out there,” says Marc-Etienne M. Léveillé, Malware Researcher at ESET.
Additional details about Keydnap can be found in a technical article on ESET’s official IT security blog, WeLiveSecurity.com.