Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

ID: S0276
Associated Software: OSX/Keydnap

Type: MALWARE
Platforms: macOS

Version: 1.0

Associated Software Descriptions

NameDescription
OSX/Keydnap[1]

Techniques Used

DomainIDNameUse
EnterpriseT1141Input PromptKeydnap prompts the users for credentials.[2]
EnterpriseT1159Launch AgentKeydnap uses a Launch Agent to persist.[2]
EnterpriseT1188Multi-hop ProxyKeydnap uses a copy of tor2web proxy for HTTPS communications.[2]
EnterpriseT1064ScriptingKeydnap uses Python for scripting to execute additional commands.[2]
EnterpriseT1167Securityd MemoryKeydnap uses the keychaindump project to read securityd memory.[2]
EnterpriseT1166Setuid and SetgidKeydnap adds the setuid flag to a binary so it can easily elevate in the future.[1]
EnterpriseT1151Space after FilenameKeydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.[2]
EnterpriseT1071Standard Application Layer ProtocolKeydnap uses HTTPS for command and control.[2]

References