rvlsoft - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Keydnap malware: How does it steal Mac passwords?

The Keydnap malware has the ability to steal passwords stored in the Keychain Access app on Mac systems. Expert Nick Lewis explains how to mitigate this issue.

A Mac malware strain known as Keydnap was recently discovered by researchers at ESET. The Keydnap malware is named for its ability to steal passwords and encryption keys stored in a Mac's Keychain Access feature. ESET also discovered how Keydnap disguises itself and tricks users into installing the Mac malware strain. How does Keydnap work, and what's the best option to avoid this threat?

Malware frequently targets passwords, as they are one of the most valuable pieces of data along with credit card numbers and personally identifiable information. Some malware specifically targets banking websites and the individual passwords entered into the website so the attacker can gain access to these bank accounts. Occurring less frequently, but potentially becoming more problematic for end users, is when passwords stored in a password manager get targeted by malware, such as the Keydnap malware. Password managers should have protections built in to try to prevent malware from stealing all of the stored passwords, but there is little these applications can do when malware running in the context of an authorized user, including the root user, accesses the passwords. Even with this risk, the benefit from using a password manager outweighs the risk.

ESET researchers discovered that once the Keydnap malware is on an end user's system, the user would need to execute it before it infects his system. The downloader component is distributed as a zip file that includes an executable file using an extension of .txt or .jpg, but with a space at the end of the file name to make the file seem legitimate. The executable file also uses an icon matching a TXT or JPEG file. Macs have the Gatekeeper app enabled, by default, to ask the user if they want to execute files downloaded from the internet, but given the seemingly safe file name, some users might allow the file to execute.

Once the downloader executes, it runs additional Mac malware named icloudsyncd and installs the malware in either the user's profile directory or the system /Library/LaunchAgents/ so it runs when the computer starts up or on login. It then uses a proof-of-concept tool named Keychaindump to extract the passwords from Keychain Access. Finally, the malware sends the passwords to the command-and-control (C&C) system using a Tor2web proxy.

Mac users can protect themselves from the Keydnap malware by using a host-based firewall to prevent the outbound connection to the C&C server and heeding the Gatekeeper warning. ESET also released indicators of compromise for the malware so other endpoint security tools can include new protections and block the malware.

If a Mac user who uses Keychain Access to store passwords is infected by the Keydnap malware, the individual must change all of the stored passwords as soon as possible from a known secure system to prevent unauthorized access to his accounts.

Next Steps

Find out how to mitigate Trojans that steal passwords

Discover how to remove Windows BITS used to reinfect systems with malware

Learn what the Mirai IoT botnet DDoS attacks say about password security

This was last published in December 2016

Dig Deeper on Alternative operating system security