Keydnap

Keydnap is a form of malware that has been used in various attacks to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notable instances of Keydnap attacks include when the Transmission site was hacked twice to distribute KeRanger and Keydnap, and when a Handbrake mirror server was hacked to distribute Proton. The Keydnap malware operates by replacing argv[0] with /usr/libexec/icloudsyncd –launchd netlogon.bundle to conceal the location of the malicious file. This process, as described in a paper by K. Lee and H. Koo, suggests that the source code was likely taken directly from Github due to identical function names. Once started, Keydnap installs a plist file in /Library/LaunchAgents/ if it has root privileges or $USER/Library/LaunchAgents/ otherwise to maintain its presence across reboots. When two new processes are created within two seconds, Keydnap will spawn a window asking for the user’s credentials, mirroring the usual prompts OS X users see when an application requires admin privileges. To counteract Keydnap, patches and indicators of compromise (IoCs) have been made available. A patch for UPX, which allows unpacking Keydnap’s backdoor, is available on ESET’s malware-research Github repository. Furthermore, Keydnap’s IoCs are continuously updated on ESET’s malware-ioc Github repository. The malware uses the onion.to Tor2Web proxy over HTTPS to report back to its command and control (C&C) server, further emphasizing the need for ongoing cybersecurity vigilance.