Popular BitTorrent client Transmission has been found distributing malware to infect Mac users, just months after it was used to spread a strand of ransomware called KeRanger, researchers have found. Discovered by experts at cybersecurity firm Eset, the malware called OSX/Keydnap is "built to steal the content of OS X's keychain and maintain a permanent backdoor".

Researchers found that a version of the BitTorrent client containing the malware was recently being distributed on Transmission's official website.

Eset said the malicious file was removed from the web server "literally minutes" after they notified the Transmission team and an investigation was launched.

"According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day," Eset researchers wrote in a We Live Security blog post. "Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised."

To verify if your system has been compromised, the Eset team recommends that users look for any of the following folders and files:

  • /Applications/Transmission.app/Contents/Resources/License.rtf
  • /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
  • $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
  • /Library/Application Support/com.apple.iCloud.sync.daemon/
  • $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist

If the above mentioned files are present, a user's computer has been infected with the Keydnap malware, which not only steals credentials, but functions as a permanent backdoor program that can download and execute files from a remote URL.

The researchers also noted that "the malicious disk image was named Transmission2.92.dmg while the legitimate one is Transmission-2.92.dmg", making note of the hyphen.

Earlier in March, Palo Alto Networks researchers found that the Transmission website had been hacked and infected with a strand of ransomware called "KeRanger" – the first ever fully functional ransomware that targets Mac computers.

Eset researchers said that the distribution technique and code of the Keydnap malware was similar to that of KeRanger.

"In both cases, a malicious block of code is added to the main function of the Transmission application," the researchers wrote. "The code responsible for dropping and running the malicious payload is astonishingly the same." Similar to KeRanger, Keydnap also used a legitimate code key to sign the malicious Transmission application bundle and bypass Apple's malware-detecting feature Gatekeeper.

Eset has already notified Apple about the compromised code signing key. Although it is still unknown how and when the malicious code was made available for download on the Transmission website, the researchers said in July that users could be exposed to the Keydnap malware through "attachments in spam messages, downloads from untrusted websites or something else" as well.