OSX.Keydnap: Difference between revisions

OSX.Keydnap is initially downloaded as a [[Zip (file format)|Zip archive]]. This archive contains a single [[Mach-O]] file and a [[Resource fork]] containing an icon for the executable file, which is typically a JPEG or text file image. Additionally, the dropper takes advantage of how OS X handles file extensions by putting a space behind the extension of the file name for example – as “keydnap.jpg ” instead of “keydnap.jpg”. Usually commonly seen icon images and names are used to exploit users' willingness to click on benign looking files. When the file is opened, the Mach-O executable runs by default in the Terminal instead of an image viewer like the user would expect.{{Citation needed|date=November 2024}}

This initial execution does three things. First, it downloads and executes the backdoor component. Second, it downloads and opens a decoy document to match what the dropper file is pretending to be. Finally, it quits the Terminal to cover up that it was ever open. The terminal is only opened momentarily.{{Citation needed|date=November 2024}}

Activating [[Gatekeeper (macOS)|Gatekeeper]] is an easy way to prevent accidental installation of OSX.Keydnap. If the user's Mac has Gatekeeper activated, the malicious file will not be executed and a warning will be displayed to the user. This is because the malicious Mach-O file is unsigned, which automatically triggers a warning in Gatekeeper.<ref name=":2" /> Users who have been infected by the compromised Transmission app or disabling Gatekeeper are able to remove this malware infection with Spyware Doctor.<ref>{{Cite web|url=https://iboostup.com/spyware-doctor/research/infection/Trojan.Keydnap|title=Keydnap - Threat Details|last=Spyware Doctor|date=2016-08-30|website=www.iboostup.com|publisher=iBoostUp|first=macOS malware research|access-date=2024-12-05}}</ref>