Last month ESET researchers wrote an article about a
new OS X malware called OSX/Keydnap, built to steal the content of OS X’s
keychain and maintain a permanent backdoor. At that time of the analysis, it
was unclear how victims were exposed to OSX/Keydnap. To quote the original
article: “It could be through attachments in spam messages, downloads from
untrusted websites or something else.”
During the last hours, OSX/Keydnap was distributed on a trusted
website, which turned out to be “something else”. It spread via a recompiled
version of the otherwise legitimate open source BitTorrent client application
Transmission and distributed on their official website.
Instant response from the Transmission team
Literally minutes after being notified by ESET, the Transmission
team removed the malicious file from their web server and launched an
investigation to identify how this happened. At the time of writing, it was
impossible to tell exactly when the malicious file was made available for
download. According to the signature, the application bundle was signed on
August 28th, 2016, but it seems to have been distributed only the next day.
Thus, we advise anyone who downloaded Transmission v2.92 between August 28th
and August 29th, 2016, inclusively, to verify if their system is compromised by
testing the presence of any of the following file or directory:
- /Applications/Transmission.app/Contents/Resources/License.rtf
- /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
- $HOME/Library/Application
Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application
Support/com.apple.iCloud.sync.daemon/process.id
- $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
- /Library/Application
Support/com.apple.iCloud.sync.daemon/
- $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist
If any of them exists, it means the malicious Transmission
application was executed and that Keydnap is most likely
running. Also note that the malicious disk image was named Transmission2.92.dmg while the legitimate one is Transmission-2.92.dmg (notice the hyphen).
Similarity with KeRanger
If this modus operandi sounds familiar, you are totally correct.
In March 2016, Palo Alto Networks published a blog
post warning about the first OS X ransomware observed. In fact,
Keydnap used the same technique to spread itself.
In both cases, a malicious block of code is added to the main
function of the Transmission application. The code responsible for dropping and
running the malicious payload is astonishingly the same.