Researchers have caught malware being spread through a signed version of Transmission, the popular OS X BitTorrent client.
A team of malware analysts notified Transmission after the malicious file was discovered on the Transmission application's official website. Transmission promptly removed the file. Even so, it's unclear when the malware, which goes by the name OSX/Keydnap, first made it onto the site.
As ESET's researchers explain:
"According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised by testing the presence of any of the following files or directory:"
Under no circumstances do you want to find any of the above files running on your computer. Their presence points to an active Keydnap infection, which doesn't mean anything good for a Mac user's passwords.
ESET's researchers elaborate in another blog post:
"The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X's keychain. The author simply took a proof-of-concept example available on Github called Keychaindump. It reads securityd’s memory and searches for the decryption key for the user’s keychain. This process is described in a paper by K. Lee and H. Koo. One of the reasons we think the source was taken directly from Github is that the function names in the source code are the same in the Keydnap malware."
Interestingly, this version of OSX/Keydnap bears a striking similarity to OSX.KeRanger.A, the first fully functional ransomware which posed as version 2.90 of Transmission back in March.
Coincidence? Not bloody likely! The code responsible for dropping the malware payload is the same:
OSX/Keydnap and OSX.KeRanger.A also share a C&C URL resource path and parameter as well as a legitimate code signing key that was signed by Apple, meaning that both malware samples can bypass GateKeeper.
Per ESET's recommendation, if you installed Transmission v2.92 between August 28th and August 29th of this year, make sure you check for the presence of those files. If they're there, remove them and scan your system with an anti-virus solution just to be on the safe side.