Connect with us

Hi, what are you looking for?


Endpoint Security

New OS X Backdoor Steals Mac Keychain Content

A new Mac OS X piece of malware was designed to steal the content of the keychain and to establish permanent backdoor access to the infected system, ESET security researchers warn.

A new Mac OS X piece of malware was designed to steal the content of the keychain and to establish permanent backdoor access to the infected system, ESET security researchers warn.

Dubbed OSX/Keydnap, the new threat is supposedly distributed via malicious attachments in spam messages, but researchers say that downloads from untrusted websites might also be used as infection vectors. While the exact distribution mechanism for the malware is uncertain, researchers say that one downloader component is known to be distributed in a .zip file.

The .zip archive contains a Mach-O executable file masqueraded as .txt or .jpg, but instead containing a space character at the end of the extension, which results in it being launched in Terminal when double-clicked, instead of Preview or TextEdit, as normal files would launch. However, the executable file mimics the icon that Finder usually applies to JPEG or text files, meaning that users are more likely to open the malicious file, believing that it is benign.

The unsigned Mach-O executable will download and execute the backdoor component, and will also replace its content with a decoy, either using a base64-encoded embedded file or by downloading it from the Internet. Moreover, it opens a decoy document and closes the terminal window that it just opened, researchers say.

The decoy document is meant to replace the Mach-O file (which is the downloader), thus leaving the malicious executable only in the ZIP file, ESET’s researchers discovered. While the downloader lacks persistency, however, the backdoor adds an entry to the LaunchAgents directory, which allows it to survive across reboot.

According to ESET, because recent malware samples were embedding decoy documents that were screenshots of botnet C&C panels or dumps of credit card numbers, it is possible that Keydnap was meant to target users of underground forums or security researchers. Recent versions also have a version number, yet all samples have the filename icloudsyncd, ESET says.

The backdoor, which is packed with a modified version of UPX, achieves persistency by installing a plist file in /Library/LaunchAgents/ (if root privileges are available) or in $USER/Library/LaunchAgents/ (without root). The icloudsyncd executable is kept in the Library/Application Support/ directory, where the process id of the running malware is kept as well. If root privileges are available, the malware ensures that it can run as root by changing the owner of icloudsyncd to root:admin and by making the executable setuid and setgid. It also hides its location by replacing argv[0] with /usr/libexec/icloudsyncd –launchd netlogon.bundle.

Advertisement. Scroll to continue reading.

The OSX/Keydnap backdoor is capable of gathering the passwords and keys stored in the OS X keychain, and leverages the Keychaindump proof-of-concept example available on Github for that (they both feature the same function names in the source code). The software reads securityd’s memory and looks for the decryption key for the user’s keychain, a process previously described in a paper by K. Lee and H. Koo.

Keydnap connects to the command and control (C&C) server by using the Tor2Web proxy over HTTPS. The malware reports that it started operations, sends the content of the keychain, requests tasks, reports the output of a command that was executed, and reports when a task was completed. The HTTP POST content includes the bot ID and data, which is encrypted with a specific RC4 key (data is replaced with a keychain field when exfiltrating the passwords).

The backdoor supports commands such as uninstall and quit, update from a base64-encoded file, update given a URL, decode and execute a base64-encoded file or Python script, download and execute a file or Python script from a URL, execute a command and report the output, request administrator privileges the next time the user runs an application, decode and execute, or stop, a base64-encoded file calledauthd_service.

“There are a few missing pieces to this puzzle. We do not know at this point how Keydnap is distributed. Nor do we know how many victims there are out there. Although there are multiple security mechanisms in place in OS X to mitigate malware, it’s possible to deceive the user into executing non-sandboxed malicious code by replacing the icon of a Mach-O file,” ESET concludes.

Keydnap is the second Mac OS X backdoor to have made it to the headlines this week, after Bitdefender published a report on Backdoor.MAC.Eleanor, a piece of malware that can supposedly be used for cyber-espionage.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...