OS X malware Keydnap uses Tor and opens 'permanent' backdoor likely targeting security researchers

A new strain of malware targeting Mac users has been uncovered by security researchers. The OS X malware dubbed Keydnap steals Keychain credentials and opens a "permanent backdoor" on infected systems. Coincidentally, the malware appears to be targeting security experts and users of underground forums.

According to ESET security researchers, the malware was first detected in May (version 1.3.1) and later in June (version 1.3.5). Although it is uncertain as to how the malware is distributed, researchers speculate that either spam email campaigns or downloads from untrusted websites may be the culprit behind the spread of the malware.

The malware comes as part of an unzipped file with a hidden space in the file extension and when downloaded, begins running in the Mac terminal. The file – Mach O – uses a fake icon and installs the Keydnap backdoor, which in turn operates to get rooting privileges and attempts to gain administrative privileges as well by posing as a pop-up.

The Keydnap malware is also capable of downloading and executing files from a remote URL, updating the backdoor with new versions, downloading and running the Python scripts as well as executing shell commands while also reporting on the results.

"The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X's keychain," said ESET security researcher Marc-Etienne M Leveille. He also explained that the author of the malware "took a proof-of-concept" example available on Github called Keychaindump. The malware uses the Tor website via the onion.to Tor2Web proxy and sends the contents of the Mac's keychain to a C&C (command and control) server through HTTPS.

ESET also observed two active C&C servers and analysis of the kind of decoy images used by the malware indicates that the malware may in fact be targeting security researchers and users of underground forums. Unfortunately, not a lot is known about the Keydnap malware. In addition to limited information on the malware's distribution methods, researchers are yet to uncover how many victims have been affected by the malware.

"Although there are multiple security mechanisms in place in OS X to mitigate malware, it's possible to deceive the user into executing non-sandboxed malicious code by replacing the icon of a Mach-O file," warns Leveille.