Date:13/07/16
According to ESET researchers, the malware, dubbed Keydnap, focuses on stealing the content of Apple OS X keychains and installs a permanent backdoor into a victim's system.
The malware has several unusual features. If downloaded, the malware appears within a .zip file which contains an executable disguised as an innocent .txt or .jpg file. However, the file extension contains a space character at the end, and so if the file is double-clicked, it opens in the Terminal app rather than Preview or Text Edit to execute the payload.
A backdoor is then created and a decoy document pulled from the web or created using a base64-encoded embedded file replaces the downloader component, helping to disguise the malware's activities.
The backdoor will add an entry to the LaunchAgents directory and stay persistent even on reboot. Once the backdoor is set and remote attackers have gained entry into the system -- which also allows them to hijack sessions and spy on victims -- the malware then targets the OS X keychain to gather and steal passwords and keys stored within.
This component, lifted by the developer from a GitHub repository called Keychaindump, then searches the Apple securityd's memory (.PDF) for the decryption key to the keychain. In order to gain root access to the machine, Keydnap will also attempt to trick the user into handing over their account credentials.
The researchers say: "Keydnap will spawn a window asking for the user's credentials, exactly like the one OS X users usually see when an application requires admin privileges. If the victim falls for this and enters their credentials, the backdoor will henceforth run as root and the content of the victim's keychain will be exfiltrated."
When the user's credentials have been accessed, the malware uses Tor to report back to the attacker's C&C server and forward this information on as well as receive fresh commands. The researchers are not sure how victims become exposed to the malware, but it may be through phishing campaigns, malicious email attachments or downloads from suspicious websites. If Gatekeeper is active on the target machine, the file will not execute and a warning is displayed to the user.
ESET says that multiple samples of Keydnap suggests that users of underground forums or perhaps even security researchers are being targeted, due to screenshots of botnet command and control (C&C) panels and credit card number dumps embedded in some decoy documents.
Bitdefender said that another new piece of Mac malware, Eleanor, also installs backdoors to compromise Apple PCs.
Keydnap malware goes after your Mac password treasure trove
Researchers have revealed a new kind of Mac malware discovered in the wild which burrows its way into PCs with the aim of stealing your passwords.According to ESET researchers, the malware, dubbed Keydnap, focuses on stealing the content of Apple OS X keychains and installs a permanent backdoor into a victim's system.
The malware has several unusual features. If downloaded, the malware appears within a .zip file which contains an executable disguised as an innocent .txt or .jpg file. However, the file extension contains a space character at the end, and so if the file is double-clicked, it opens in the Terminal app rather than Preview or Text Edit to execute the payload.
A backdoor is then created and a decoy document pulled from the web or created using a base64-encoded embedded file replaces the downloader component, helping to disguise the malware's activities.
The backdoor will add an entry to the LaunchAgents directory and stay persistent even on reboot. Once the backdoor is set and remote attackers have gained entry into the system -- which also allows them to hijack sessions and spy on victims -- the malware then targets the OS X keychain to gather and steal passwords and keys stored within.
This component, lifted by the developer from a GitHub repository called Keychaindump, then searches the Apple securityd's memory (.PDF) for the decryption key to the keychain. In order to gain root access to the machine, Keydnap will also attempt to trick the user into handing over their account credentials.
The researchers say: "Keydnap will spawn a window asking for the user's credentials, exactly like the one OS X users usually see when an application requires admin privileges. If the victim falls for this and enters their credentials, the backdoor will henceforth run as root and the content of the victim's keychain will be exfiltrated."
When the user's credentials have been accessed, the malware uses Tor to report back to the attacker's C&C server and forward this information on as well as receive fresh commands. The researchers are not sure how victims become exposed to the malware, but it may be through phishing campaigns, malicious email attachments or downloads from suspicious websites. If Gatekeeper is active on the target machine, the file will not execute and a warning is displayed to the user.
ESET says that multiple samples of Keydnap suggests that users of underground forums or perhaps even security researchers are being targeted, due to screenshots of botnet command and control (C&C) panels and credit card number dumps embedded in some decoy documents.
Bitdefender said that another new piece of Mac malware, Eleanor, also installs backdoors to compromise Apple PCs.
Views: 587
©ictnews.az. All rights reserved.Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World