Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

ID: S0276
Associated Software: OSX/Keydnap
Type: MALWARE
Platforms: macOS
Version: 1.0

Associated Software Descriptions

Name Description
OSX/Keydnap [1]

Techniques Used

Domain ID Name Use
Enterprise T1141 Input Prompt

Keydnap prompts the users for credentials.[2]

Enterprise T1159 Launch Agent

Keydnap uses a Launch Agent to persist.[2]

Enterprise T1188 Multi-hop Proxy

Keydnap uses a copy of tor2web proxy for HTTPS communications.[2]

Enterprise T1064 Scripting

Keydnap uses Python for scripting to execute additional commands.[2]

Enterprise T1167 Securityd Memory

Keydnap uses the keychaindump project to read securityd memory.[2]

Enterprise T1166 Setuid and Setgid

Keydnap adds the setuid flag to a binary so it can easily elevate in the future.[1]

Enterprise T1151 Space after Filename

Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.[2]

Enterprise T1071 Standard Application Layer Protocol

Keydnap uses HTTPS for command and control.[2]

References