Register to stream ATT&CKcon 2.0 October 29-30

Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

ID: S0276
Associated Software: OSX/Keydnap
Type: MALWARE
Platforms: macOS
Version: 1.0

Associated Software Descriptions

Name Description
OSX/Keydnap [1]

Techniques Used

Domain ID Name Use
Enterprise T1141 Input Prompt Keydnap prompts the users for credentials. [2]
Enterprise T1159 Launch Agent Keydnap uses a Launch Agent to persist. [2]
Enterprise T1188 Multi-hop Proxy Keydnap uses a copy of tor2web proxy for HTTPS communications. [2]
Enterprise T1064 Scripting Keydnap uses Python for scripting to execute additional commands. [2]
Enterprise T1167 Securityd Memory Keydnap uses the keychaindump project to read securityd memory. [2]
Enterprise T1166 Setuid and Setgid Keydnap adds the setuid flag to a binary so it can easily elevate in the future. [1]
Enterprise T1151 Space after Filename Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program. [2]
Enterprise T1071 Standard Application Layer Protocol Keydnap uses HTTPS for command and control. [2]

References