Keydnap

Malware updated 6 months ago (2024-05-05T02:17:45.371Z)
Download STIX
Preview STIX
Keydnap is a form of malware that has been used in various attacks to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notable instances of Keydnap attacks include when the Transmission site was hacked twice to distribute KeRanger and Keydnap, and when a Handbrake mirror server was hacked to distribute Proton. The Keydnap malware operates by replacing argv[0] with /usr/libexec/icloudsyncd –launchd netlogon.bundle to conceal the location of the malicious file. This process, as described in a paper by K. Lee and H. Koo, suggests that the source code was likely taken directly from Github due to identical function names. Once started, Keydnap installs a plist file in /Library/LaunchAgents/ if it has root privileges or $USER/Library/LaunchAgents/ otherwise to maintain its presence across reboots. When two new processes are created within two seconds, Keydnap will spawn a window asking for the user’s credentials, mirroring the usual prompts OS X users see when an application requires admin privileges. To counteract Keydnap, patches and indicators of compromise (IoCs) have been made available. A patch for UPX, which allows unpacking Keydnap’s backdoor, is available on ESET’s malware-research Github repository. Furthermore, Keydnap’s IoCs are continuously updated on ESET’s malware-ioc Github repository. The malware uses the onion.to Tor2Web proxy over HTTPS to report back to its command and control (C&C) server, further emphasizing the need for ongoing cybersecurity vigilance.
Description last updated: 2024-05-05T01:57:04.200Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Keydnap Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more