A new Mac OS X piece of malware was designed to steal the content of the keychain and to establish permanent backdoor access to the infected system, ESET security researchers warn.
Dubbed OSX/Keydnap, the new threat is supposedly distributed via malicious attachments in spam messages, but researchers say that downloads from untrusted websites might also be used as infection vectors. While the exact distribution mechanism for the malware is uncertain, researchers say that one downloader component is known to be distributed in a .zip file.
The .zip archive contains a Mach-O executable file masqueraded as .txt or .jpg, but instead containing a space character at the end of the extension, which results in it being launched in Terminal when double-clicked, instead of Preview or TextEdit, as normal files would launch. However, the executable file mimics the icon that Finder usually applies to JPEG or text files, meaning that users are more likely to open the malicious file, believing that it is benign.
The unsigned Mach-O executable will download and execute the backdoor component, and will also replace its content with a decoy, either using a base64-encoded embedded file or by downloading it from the Internet. Moreover, it opens a decoy document and closes the terminal window that it just opened, researchers say.
The decoy document is meant to replace the Mach-O file (which is the downloader), thus leaving the malicious executable only in the ZIP file, ESET’s researchers discovered. While the downloader lacks persistency, however, the backdoor adds an entry to the LaunchAgents directory, which allows it to survive across reboot.
According to ESET, because recent malware samples were embedding decoy documents that were screenshots of botnet C&C panels or dumps of credit card numbers, it is possible that Keydnap was meant to target users of underground forums or security researchers. Recent versions also have a version number, yet all samples have the filename icloudsyncd, ESET says.
The backdoor, which is packed with a modified version of UPX, achieves persistency by installing a plist file in /Library/LaunchAgents/ (if root privileges are available) or in $USER/Library/LaunchAgents/ (without root). The icloudsyncd executable is kept in the Library/Application Support/com.apple.iCloud.sync.daemon directory, where the process id of the running malware is kept as well. If root privileges are available, the malware ensures that it can run as root by changing the owner of icloudsyncd to root:admin and by making the executable setuid and setgid. It also hides its location by replacing argv[0] with /usr/libexec/icloudsyncd –launchd netlogon.bundle.
The OSX/Keydnap backdoor is capable of gathering the passwords and keys stored in the OS X keychain, and leverages the Keychaindump proof-of-concept example available on Github for that (they both feature the same function names in the source code). The software reads securityd’s memory and looks for the decryption key for the user’s keychain, a process previously described in a paper by K. Lee and H. Koo.
Keydnap connects to the command and control (C&C) server by using the onion.to Tor2Web proxy over HTTPS. The malware reports that it started operations, sends the content of the keychain, requests tasks, reports the output of a command that was executed, and reports when a task was completed. The HTTP POST content includes the bot ID and data, which is encrypted with a specific RC4 key (data is replaced with a keychain field when exfiltrating the passwords).
The backdoor supports commands such as uninstall and quit, update from a base64-encoded file, update given a URL, decode and execute a base64-encoded file or Python script, download and execute a file or Python script from a URL, execute a command and report the output, request administrator privileges the next time the user runs an application, decode and execute, or stop, a base64-encoded file calledauthd_service.
“There are a few missing pieces to this puzzle. We do not know at this point how Keydnap is distributed. Nor do we know how many victims there are out there. Although there are multiple security mechanisms in place in OS X to mitigate malware, it’s possible to deceive the user into executing non-sandboxed malicious code by replacing the icon of a Mach-O file,” ESET concludes.
Keydnap is the second Mac OS X backdoor to have made it to the headlines this week, after Bitdefender published a report on Backdoor.MAC.Eleanor, a piece of malware that can supposedly be used for cyber-espionage.
