Researchers find OS X malware stealing data from keychain
Researchers at security firm ESET have found OS X malware that steals data from the keychain and acts as a backdoor. The company has not yet been able to determine with certainty how the malware is spreading and how many victims there are.
Known as “Keydnap,” the malware arrives in the form of a zip file, believed to be an attachment to a spam email, ESET reports. In that archive are two files, a txt and a jpeg file. In reality, however, they are executable Mach object files, which the system therefore opens in the terminal.
The malware is able to do this by adding a space to the end of the file extension, the researchers explain. In addition, the zip archive contains a so-called resource fork, which makes it appear as a text file or image by displaying the corresponding OS X icons. If the user opens one of the files, the malware is executed. A warning will be displayed by the Gatekeeper security because the software is not signed.
The user must ignore this warning to get infected. When this happens, the malware downloads the backdoor and replaces the downloader itself with a fake file. These files include screenshots of botnet command-and-control server control panels, leading ESET to believe that the malware is targeting members of the underworld or security researchers. The malware then communicates with a cnc server at a tor address and allows an attacker, for example, to remotely download and execute a file from a url.
The malware can also obtain root rights through a window in which the software asks the user to enter his password. This is only shown if two processes are created in quick succession. The code responsible for stealing passwords from the Keychain password manager appears to come directly from a GitHub project called “Keychaindump,” the researchers add.
Earlier this week, researchers from security firm Bitdefender found another OS X backdoor called “Backdoor.MAC.Eleanor.” It is present in software that pretends to be a converter called EasyDoc Converter. Among other things, this malware is able to record images with built-in webcams on infected systems.