OSX.Keydnap: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 17:52, 10 December 2016 edit Pichpich (talk \| contribs) Autopatrolled, Extended confirmed users, New page reviewers, Pending changes reviewers, Rollbackers 90,589 edits added Category:MacOS malware; removed {{uncategorized}} using HotCat ← Previous edit		Latest revision as of 04:02, 5 December 2024 edit undo Csecpert (talk \| contribs) 8 edits m corrected the ref
(13 intermediate revisions by 11 users not shown)
Line 1: {{Short description\|MacOS X based Trojan horse}} {{Orphan\|date=December 2016}} '''OSX.Keydnap''' is a [[MacOS\|MacOS X]] based [[Trojan horse (computing)\|Trojan horse]] that steals passwords from the iCloud Keychain<ref name=":0">{{Cite web\|url=https://blog.malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-steals-keychain/\|title=Mac malware OSX.Keydnap steals keychain\|last=Reed\|first=Thomas\|date=2016-07-13\|website=\|publisher=Malwarebytes\|access-date=2016-11-20}}</ref> of the infected machine. It uses a [[Dropper (malware)\|dropper]] to establish a permanent backdoor while exploiting MacOS vulnerabilities and security features like [[Gatekeeper (macOS)\|Gatekeeper]], iCloud ~~KeyChain~~Keychain and the file naming system. It was first detected in early July 2016 by ESET researchers, who also found it being distributed through a compromised version of Transmission Bit Torrent Client.<ref name=":1">{{Cite web\|url=http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/\|title=OSX/Keydnap spreads via signed Transmission application\|last=Research\|first=ESET\|date=2016-08-30\|website=www.welivesecurity.com\|publisher=ESET\|access-date=2016-12-02}}</ref> == Technical ~~Details~~details == === Download and ~~Installation~~installation === OSX.Keydnap is initially downloaded as a [[Zip (file format)\|Zip archive]]. This archive contains a single [[Mach-O]] file and a [[Resource fork]] containing an icon for the executable file, which is typically a JPEG or text file image. Additionally, the dropper takes advantage of how OS X handles file extensions by putting a space behind the extension of the file name for example – as “keydnap.jpg ” instead of “keydnap.jpg”. ~~Having a~~Usually commonly seen icon ~~image~~images and ~~name~~names isare used to exploit users' willingness to click on benign looking files. When the file is opened, the Mach-O executable runs by default in the Terminal instead of an image viewer like the user would expect.{{Citation needed\|date=November 2024}} This initial execution does three things. First, it downloads and executes the backdoor component. Second, it downloads and opens a decoy document to match what the dropper file is pretending to be. Finally, it quits the Terminal to cover up that it was ever open. The terminal is only opened momentarily.{{Citation needed\|date=November 2024}} === Establishing the ~~Backdoor~~backdoor ~~Connection~~connection === Since the downloader is not persistent, the downloaded backdoor component spawns a process named "icloudsyncd" that runs at all times. It also adds an entry to the LaunchAgents directory to survive reboots. The icloudsyncd process is used to communicate with a command & control server via an onion.to address, establishing the backdoor.<ref name=":2">{{Cite web\|url=http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/\|title=New OSX/Keydnap malware is hungry for credentials\|last=~~Etienne~~Léveillé\|first=Marc-Etienne\|date=2016-07-06\|website=www.welivesecurity.com\|publisher=ESET\|access-date=2016-11-20}}</ref> It then attempts to capture passwords from the iCloud Keychain, using the proof-of-concept Keychaindump,<ref>{{Cite web\|url=https://github.com/juuso/keychaindump\|title=A proof-of-concept tool for reading OS X keychain passwords\|last=Salonen\|first=Juuso\|date=2015-09-05\|website=www.github.com\|publisher=\|access-date=2016-12-02}}</ref> and transmits them back to the server. Keychaindump reads securityd’s memory and searches for the decryption key for the user’s keychain as described in “Keychain Analysis with Mac OS X Memory Forensics” by K. Lee and H. Koo.<ref>{{Cite web\|url=https://forensic.n0fate.com/wp-content/uploads/2012/07/Keychain-Analysis-with-Mac-OS-X-Memory-Forensics.pdf\|title=Keychain Analysis with Mac OS X Memory Forensics\|last=Lee\|first=Kyeongsik\|last2=Koo\|first2=Hyungjoon\|date=2012-07-01\|website=forensic.n0fate.com\|publisher=\|access-date=2016-12-02}}</ref> === Gatekeeper ~~Signing~~signing ~~Workaround~~workaround === Mac OS uses Gatekeeper to verify if an application is signed with a valid Apple Developer ID certificate preventing OSX.Keydnap from running. Further, even if the user does have Gatekeeper turned off, they will see a warning that the file is an application downloaded from the Internet giving the user an option to not execute the application. However, by packing OSX.Keydnap with a legitimate signing key as in the case of the compromised Transmission app, it successfully bypasses Gatekeeper protection.<ref name=":1" /><ref name=":2" /> == Detection and ~~Removal~~removal == Activating [[Gatekeeper (macOS)\|Gatekeeper]] is an easy way to prevent accidental installation of OSX.Keydnap. If the user's Mac has Gatekeeper activated, the malicious file will not be executed and a warning will be displayed to the user. This is because the malicious Mach-O file is unsigned, which automatically triggers a warning in Gatekeeper.<ref name=":2" /> Users who have been infected by the compromised Transmission app or disabling Gatekeeper are able to remove this malware infection with Spyware Doctor.<ref>{{Cite web\|url=https://iboostup.com/spyware-doctor/research/infection/Trojan.Keydnap\|title=Keydnap - Threat Details\|last=Spyware Doctor\|date=2016-08-30\|website=www.iboostup.com\|publisher=iBoostUp\|first=macOS malware research\|access-date=2024-12-05}}</ref> == References == Line 27 ⟶ 28: [[Category:MacOS malware]] [[Category:Trojan horses]]