News

Researchers find OS X malware stealing data from keychain

By admin
Spread the love

Researchers at security firm ESET have found OS X malware that steals data from the keychain and acts as a backdoor. The company has not yet been able to determine with certainty how the malware is spreading and how many victims there are.

Known as “Keydnap,” the malware arrives in the form of a zip file, believed to be an attachment to a spam email, ESET reports. In that archive are two files, a txt and a jpeg file. In reality, however, they are executable Mach object files, which the system therefore opens in the terminal.

The malware is able to do this by adding a space to the end of the file extension, the researchers explain. In addition, the zip archive contains a so-called resource fork, which makes it appear as a text file or image by displaying the corresponding OS X icons. If the user opens one of the files, the malware is executed. A warning will be displayed by the Gatekeeper security because the software is not signed.

The user must ignore this warning to get infected. When this happens, the malware downloads the backdoor and replaces the downloader itself with a fake file. These files include screenshots of botnet command-and-control server control panels, leading ESET to believe that the malware is targeting members of the underworld or security researchers. The malware then communicates with a cnc server at a tor address and allows an attacker, for example, to remotely download and execute a file from a url.

The malware can also obtain root rights through a window in which the software asks the user to enter his password. This is only shown if two processes are created in quick succession. The code responsible for stealing passwords from the Keychain password manager appears to come directly from a GitHub project called “Keychaindump,” the researchers add.

Earlier this week, researchers from security firm Bitdefender found another OS X backdoor called “Backdoor.MAC.Eleanor.” It is present in software that pretends to be a converter called EasyDoc Converter. Among other things, this malware is able to record images with built-in webcams on infected systems.

You might also like
News

Google is serious about ending passwords: ‘passkeys’ are becoming the…

News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Logitech acquires stream controller maker Loupedeck