Popular BitTorrent Client Transmission got their website infected with Keydnap Malware — The same malware was detected a couple of months ago targeting Mac users.
In July this year we reported on Keydnap malware targeting Mac users, stealing OS X system keychain and maintaining a permanent backdoor. Now, researchers have discovered the same malware in the website of a BitTorrent client called Transmission and yet again target is none other than Mac users.
Read: OmniRat Allows Cyber Criminals Hack Mac, Linux, Windows PC and Android Phones
The IT security researchers at ESET were the first one to discover this malware back in July and this time, it’s the same researchers who have exposed the OSX/Keydnap with additional capabilities of using Transmission BitTorrent client through its official website.
“During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”. It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.”
Currently, it is unclear how Transmission website was distributing OSX/Keydnap but according to ESET researchers, the malware has been removed from the site however those who downloaded Transmission client in the last couple of days should scan their Mac if it has been infected by Keydnap or not.
Remember, other than stealing OS X system keychain, the Keydnap malware keeps a permanent backdoor that can allow attackers to remotely target an infected Mac device.
If you have download Transmission BitTorrent client, check if your system is compromised by testing the presence of any of the following file or directory:
- /Applications/Transmission.app/Contents/Resources/License.rtf
- /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
- $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
- /Library/Application Support/com.apple.iCloud.sync.daemon/
- $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist
Transmission has also started a Faq section dedicated to answering its users about Keydnap malware according to which:
“It appears that on or about August 28, 2016, unauthorized access was gained to our website server. The official Mac version of Transmission 2.92 was replaced with an unauthorized version that contained the OSX/Keydnap malware. The infected file was available for download somewhere between a few hours and less than a day.”
Read: Torrent Sites Drop Malware to 12 Million Users Monthly, Earn $70 Million A Year
This is not the first time when Transmission was found delivering malware on Mac devices. In fact, the first ever Mac ransom malware was also spreading itself through Transmission’s website.