Watch Out for Keydnap Malware Stealing Mac Login Credentials

The latest malware targets Mac users to steal their user credentials — Watch out and don’t fall for it!

A new Mac malware has been discovered by researchers that steal login credentials from OS-encrypted keychain allowing attackers to take over the device by maintaining a permanent backdoor.

Discovered by ESET, the malware is known OSX/Keydnap which comes in a zip file. The source of this malware is unknown but downloading files from malicious sites can be one of many reasons. Upon opening, the folder inside contains Mach-O executable file with an extension that looks like an image or a text file such as .jpg or .txt. According to Marc-Etienne M.léveillé of EST, the extension file ‘“contains a space character at the end” which, once opened runs in Terminal, however, the victim cannot view the Text file or Image file whatsoever.

Must Read: Firmware Worm Permanently Infects Macs in Seconds


Once double clicked, the infected file installs a malware on the OS along with its component known as “icloudsyncd, which further uses Tor network to set up and send reports to its command and control center. This malware also makes changes in the system allowing automatic execution whenever the system is restarted and searches for the decryption key for the user’s keychain. The two domains on Tor Onion browser exposed by researchers are g5wcesdfjzne7255.onion and r2elajikcosf7zee.onion.


Further analysis of Keydnap also shows that the malware may have been targeting security researchers and users from underground forums as recent samples embedding decoy documents contained dumps of credit card numbers, screenshots of C&C panels and botnet.

Must Read: Genieo Adware Installer Left Mac OS X Keychain Vulnerable

Another important thing to note is that the developers of this malware took a proof-of-concept example available on Github called Keychaindump. However, apart from all the dangers of this malware good news is that if users have Gatekeeper security feature in their system it will block the file from executing and display a warning message. The Gatekeeper security feature is only available on latest OS X versions.

If you are using Mac, make sure not to download files from untrusted and malicious sites, don’t download attachments from unknown emails and upgrade your system to latest OS X to get hold of best security features available.

PC World E-SET Pixa Bay/StockSnap
Related Posts