This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

ID: S0276
Associated Software: OSX/Keydnap
Platforms: macOS
Version: 1.2
Created: 17 October 2018
Last Modified: 17 October 2021

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1548 .001 Abuse Elevation Control Mechanism: Setuid and Setgid

Keydnap adds the setuid flag to a binary so it can easily elevate in the future.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Keydnap uses HTTPS for command and control.[2]

Enterprise T1059 .006 Command and Scripting Interpreter: Python

Keydnap uses Python for scripting to execute additional commands.[2]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

Keydnap uses a Launch Agent to persist.[2]

Enterprise T1555 .002 Credentials from Password Stores: Securityd Memory

Keydnap uses the keychaindump project to read securityd memory.[2]

Enterprise T1564 .009 Hide Artifacts: Resource Forking

Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system.[1]

Enterprise T1056 .002 Input Capture: GUI Input Capture

Keydnap prompts the users for credentials.[2]

Enterprise T1036 .006 Masquerading: Space after Filename

Keydnap puts a space after a false .jpg extension so that execution actually goes through the program.[2]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Keydnap uses a copy of tor2web proxy for HTTPS communications.[2]