Keydnap malware targeting Mac users, particularly security researchers

A new malware strain, dubbed Keydnap, is targeting Mac users in particular, security researchers, according to ESET blog We Live Security.

The ESET researchers are uncertain how victims are initially infected but speculate it might be through attachments in spam messages or downloads from untrusted websites. They have determined that a downloader component is delivered in a .zip file containing an executable with an ordinary-looking extension, .jpg or .txt. But, the file extension includes a space character which, upon double-clicking, will launch it in a Mac Terminal window and not Preview or TextEdit.

The malware contains a proof-of-concept sample available on Github, called Keychaindump, that siphons credentials from victims' Keychain – an Apple component that stores usernames, passwords and other personal information – and opens a backdoor on targeted systems.

After the Keydnap backdoor is installed, while posing as a pop-up, it sets to work digging into rooting privileges and trying to access administrative privileges. It can then download and launch files from a remote URL, thus keeping the backdoor up to date with fresh iterations, while downloading and running Python scripts and loading shell commands.

The ESET researchers have so far detected several variants of the downloader executable. Because some recent samples embed decoy documents that are screenshots of botnet C&C panels or dumps of credit card numbers, they believe the malware is targeting users of underground forums or security researchers.

It is unknown how many Mac users have been affected by this malware campaign, ESET said.

Sign up to our newsletters