What is OSX.Keydnap
OSX.Keydnap, or just Keydnap, as it is commonly called, is a malicious software that is known to attack MacOS X devices. This virus is categorized as a Trojan Horse that aims to get its hands on the victim’s passwords. It was first discovered in 2016 by ESET researchers.
How it is distributed
IT researchers have reported that the virus does not infect the system once it sneaks in. The user needs to execute it, in order for the malicious treat to carry on its attack. Usually, Keydnap is distributed as a ZIP file, containing executable files, but with rather curious extensions. The user would find .txt or .jpg files, but with this distinction – there will be an interval after it. For example, it may look like the file is a “.jpg”, when in fact it is “.jpg ”. Not just that, but the icon will also be suitable to match the fake extension, making the user more likely to fall into the trap set by hackers.
How it operates
Once the victim double-clicks on the malicious file in disguise, the virus will get activated. A decoy will be downloaded and displayed in the file’s place, so the user is not suspicious. Meanwhile, a nasty process with the name icloudsyncd will be kept running at all times in the Terminal. Sadly, the victim is often oblivious to this action, since the virus will quit the Terminal so fast, using the decoy as a means to cover its tracks. What this icloudsyncd process does is to communicate with a Command & Control server, through which it can receive numerous instructions. Keydnap will try to snatch the passwords from Keychain Access by using a proof-of-concept tool called Keychaindump. Once it has that data obtained, it will send it to shady third-parties via the C&C server.
Staying safe from OSX.Keydnap
However, there is one major obstacle that Keydnap must pass through before it gets installed – Gatekeeper. If users are paying enough attention, they will notice a pop-up window that is warning them about a potential danger. For example, if the file in question has the “.jpg “ extension, then the displayed text should read something among the lines of “ ‘nameofthefile.jpg ‘ can’t be opened because it is from an unidentified developer”. That is because Mac OS X doesn’t allow apps that are not signed with a valid Apple developer ID certificate to run. Fortunately, even if you have Gatekeeper turned off, you will still see a message popping up, saying that this file is actually an app downloaded from the internet. In this case, all you have to do is cancel the opening of the file.
In order to stay safe from a potential OSX.Keydnap infection, make sure to keep Gatekeeper activated, and pay close attention when you download and/or open files. Do not rush into clicking any ‘I accept’ or ‘Okay’ buttons, before diligently reading what’s written on the pop-up messages. Keeping a reliable AV software installed on your Mac device.