OS X malware spread via signed Transmission app… again

For the second time this year, the Transmission BitTorrent client has been compromised.

David bisson
David Bisson
@
@DMBisson

OS X malware spread via signed Transmission app... again

Researchers have caught malware being spread through a signed version of Transmission, the popular OS X BitTorrent client.

A team of malware analysts notified Transmission after the malicious file was discovered on the Transmission application’s official website. Transmission promptly removed the file. Even so, it’s unclear when the malware, which goes by the name OSX/Keydnap, first made it onto the site.

As ESET’s researchers explain:

Sign up to our free newsletter.
Security news, advice, and tips.

“According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised by testing the presence of any of the following files or directory:”

/Applications/Transmission.app/Contents/Resources/License.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
/Library/Application Support/com.apple.iCloud.sync.daemon/
$HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist

Under no circumstances do you want to find any of the above files running on your computer. Their presence points to an active Keydnap infection, which doesn’t mean anything good for a Mac user’s passwords.

ESET’s researchers elaborate in another blog post:

“The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X’s keychain. The author simply took a proof-of-concept example available on Github called Keychaindump. It reads securityd’s memory and searches for the decryption key for the user’s keychain. This process is described in a paper by K. Lee and H. Koo. One of the reasons we think the source was taken directly from Github is that the function names in the source code are the same in the Keydnap malware.”

Dumpkeychain functions 481x1024

Interestingly, this version of OSX/Keydnap bears a striking similarity to OSX.KeRanger.A, the first fully functional ransomware which posed as version 2.90 of Transmission back in March.

Coincidence? Not bloody likely! The code responsible for dropping the malware payload is the same:

Keranger main

OSX/Keydnap and OSX.KeRanger.A also share a C&C URL resource path and parameter as well as a legitimate code signing key that was signed by Apple, meaning that both malware samples can bypass GateKeeper.

Per ESET’s recommendation, if you installed Transmission v2.92 between August 28th and August 29th of this year, make sure you check for the presence of those files. If they’re there, remove them and scan your system with an anti-virus solution just to be on the safe side.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “OS X malware spread via signed Transmission app… again”

  1. Joe

    Everyone knows that BitTorrent is one of the easiest ways to get any malware
    If you are safety conscious about security and make a substantial investment in buying an Apple Mac over a PC because of that reason. The moment you install Transmission, you've just set yourself back.
    If you MUST "torrent", setup a simple Windows box as a virtual machine limit the bandwidth/disk space install a very good antivirus on it and just use it solely for that.
    So if you get infected you just blow away the virtual machine with no problems

    Otherwise in wise words "Prevention is better than cure"

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.