Photo via Christiaan Colen/Flickr (CC-BY-SA)
Researchers at security firm ESET discovered a particularly nasty bit of Mac-targeting malware was being spread through a corrupted version of the otherwise legitimate open source BitTorrent client, hosted directly on the Transmission website.
The malware, called OSX/Keydnap, is designed to steal passwords stored in an infected user's OS X keychain and attempts to create a permanent backdoor so it can maintain access.
ESET had been tracking the malicious program for awhile and brought its existence to light in July. At the time, a researcher from ESET said it was unclear how victims of the virus became infected. They theorized it could be through attachments in emails or downloads from untrusted websites.
As it turns out in the case of Transmission, it spread through a trusted source. The rogue version of the program was signed with a legitimate Mac app development certificate which allowed it to bypass the protection of Apple’s Gatekeeper, the security feature that protects users from installing an application from untrustworthy sources.
The Transmission team removed the malicious file from their server as soon as ESET informed them of its presence, but that means a portion of users who have downloaded the app may have been infected. It's unclear when exactly the file became available to download from the site.
ESET suggested anyone who downloaded Transmission v2.92 between August 28 and August 29, 2016 to test their system to see if they have been compromised. According to ESET, if any of the files or directories listed below are present on your machine, then OSX/Keydnap is likely running:
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
- /Library/Application Support/com.apple.iCloud.sync.daemon/
The files can be removed by using a trusted antivirus program, including ESET CyberSecurity. There is also a script available on GitHub that can be run through the OS X terminal to delete the malware.
For Transmission users, the latest infection of the BitTorrent client is likely to give them pause. It's the second time in just five months that the application has been infected. In March, researchers at Palo Alto Networks discovered the client had been corrupted by the first ever Mac ransomware to be found in the wild.