More Mac malware: OSX/Keydnap

Maybe malware is always going to come in threes. Hot on the heels of the recent announcement of Backdoor.MAC.Eleanor, another new species of malware has been announced: OSX/Keydnap, discovered by the team at whose announcement contains full details.

It is not yet clear how this beast gets onto your Mac, but it is almost certainly delivered by a user action, perhaps as an attachment in spam mail, or as a download from a malicious website. What arrives is a .zip archive, which has to be opened in order to activate it. The single file inside that archive looks like something benign and normal, perhaps with a .txt or .jpg extension, but that is a trick to get you to open it.

On opening the uncompressed file, as its name actually has a space at the end, macOS views it as a Terminal script, and duly runs it for you. That is when it turns nasty.

The payload script is an unsigned executable downloader, which will trigger Gatekeeper when it is active, resulting in your being advised that it is from an unidentified developer, and thus cannot be opened. If Gatekeeper is not active, or you elect to bypass it by opening the file using the Finder’s contextual menu, it downloads and runs a backdoor app, then changes the original file into a decoy, to make it appear innocent.

The backdoor in turn installs itself in a LaunchAgents folder, either in /Library if it has access, or in ~/Library, so that it persists. The backdoor presents itself as a process with the name icloudsync, which engineers itself to be run as root, and therefore has access to a lot of your Mac. It comes equipped to steal passwords and keys stored in your keychain, using Tor facilities. It may result in your being prompted for your password, in a dialog in which it is identified as icloudsyncd.

One test which may help you prevent its installation is to inspect the original decompressed file using Finder’s Get Info: it will be shown not as the text or image file you are expecting, but as a Unix executable, opened with Terminal. Be alert for anything identified as icloudsyncd, which is certain to be up to no good.

Patrick Wardle advises that this is detected by, and easily blocked by, his free utility BlockBlock.

As with most malware at present, the most important factor is your suspicion. Don’t open spam or suspicious messages. If you accidentally do, remove and destroy any attachments as quickly as you can, and never decompress them. Watch out, and BlockBlock block!

Thanks again to Patrick Wardle and Objective-See for drawing attention to this.