Published on August 31st, 2016 | by Admin
Mac malware distributed via BitTorrent client application, Transmission – ESET research
ESET researchers have discovered malware, known as OSX/Keydnap, that was spread via a recompiled version of the otherwise legitimate open source BitTorrent client application, Transmission. Worse, this Trojanized version was distributed from the official website.
Last month, ESET researchers wrote about OSX/Keydnap, which was a new OS X malware at the time, built to steal the content of OS X’s keychain and maintain a permanent backdoor.
Please see below or visit the ESET blog for further details about this malware. Don’t hesitate to let me know if you’d like an interview on this topic with Nick FitzGerald, Senior Research Fellow at ESET.
About OSX/Keydnap
Keydnap used the same technique to spread as a similar malware, known as KeRanger, discovered in March 2016. In both cases, a malicious block of code is added to the main function of the Transmission application. The code responsible for dropping and running the malicious payload is astonishingly similar.
As in the KeRanger case, a legitimate code signing key was used to sign the malicious Transmission application bundle. It’s different from the legitimate Transmission certificate, but is still signed by Apple and thus bypasses Gatekeeper protection.
ESET found that Keydnap is now at verion 1.5. It is still packed with the modified UPX described in ESET’s earlier article about Keydnap. The patch ESET published on Github to unpack the executable file still works with the new variant.
A significant change in the new version is the presence of a standalone Tor client. This enables Keydnap to reach its onion-routed C&C server without the need of a Tor2Web relay such as onion.to.
Advice from ESET Australia to avoid the infection
“Because the Trojanized version of Transmission is validly signed, Gatekeeper would have let this Keydnap variant run, unlike in the previous case we reported,” says Nick FitzGerald, ESET Senior Research Fellow. “However,” he continued, “we suggest that OS X users check that the Gatekeeper security feature is enabled. This will prevent future execution of this malware, or any other malware that could be signed with the same compromised key, once Apple revokes the key used in this incident.”
ESET believes the malicious version of Transmission was distributed from the official Transmission site for about a day. The malicious application bundle was signed on August 28th, 2016, but it seems to have been distributed only on the following day. Thus, we advise anyone who downloaded Transmission v2.92 on August 28th or August 29th, 2016, to verify if their system is compromised by testing the presence of any of the following files or directories:
/Applications/Transmission.app/Contents/Resources/License.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
/Library/Application Support/com.apple.iCloud.sync.daemon/
$HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist
$HOME/Library/Application Support/com.geticloud/
If any of them exists, it means the malicious Transmission application was executed and that Keydnap is most likely running. If that is the case, ESET has provided manual removal instructions to the Transmission team, which has published them here.
Finally, also note that the malicious disk image was named Transmission2.92.dmg while the legitimate one is Transmission-2.92.dmg (notice the hyphen).