Watch out for OS X Keydnap virus

Igor Degtiarenko
Writer and blogger at MacPaw, curious just about everything.

Although many Mac viruses aren’t a significant threat, this one needed further scrutiny. It also happened to appear at almost the same time as OSX.Backdoor.Eleanor malware that was also detected in June 2016.

When Eleanor and Keydnap first appeared, there was also analysis that suggested both were connected to Windows malware viruses — known as Fareit/Pony — as if the creator or creator(s) were determined to steal as much data and cause as many problems as possible at the same time.

When Keydnap was first discovered, security analysts noted that it came in the form of an attachment, usually a Zip file, or other more benign attachments, such as . jpg or . txt. It is unclear how victims received these emails, although the usual attack vectors can’t be ruled out: spam and phishing emails, downloads from untrusted websites, and file-sharing sites. Cryptocurrency exchanges and messaging platforms can’t be ruled out either.

Once the executable file is downloaded on a Mac, it is equipped to replace admin passwords to make a permanent home on your Mac and, therefore, act as a permanent backdoor for cybercriminals. It can also disguise its location deep within files and folders, and the greatest risk it poses is it can steal passwords stored on Keychain Access.

What is Keydnap?

Security analysts found that the creator copied a “proof-of-concept example available on Github called Keychaindump” based on the work covered in a paper by K. Lee and H. Koo. The concept that Keydnap put into practice is to read security’s memory to discover the decryption key for a Mac user’s keychain.

Once it has the initial cache of data, it reports back to its command-and-control server using onion.to Tor2Web proxy over HTTPS. With this information, those behind this malware can access any website with the passwords stored in your keychain. Unless you are aware of this virus, even changing a password means you are still vulnerable because Keydnap creates a permanent backdoor into your Mac.

One of the ways it avoids the usual security measures is that the executable extension includes a space icon. Instead of .jpg or .txt, it downloads as . txt. This space means that double-clicking the file will open it in Terminal instead of where you would expect — the app should normally open in the Finder. The executable download also includes the Finder icon that would usually show up when downloading a TXT or JPEG file, making it more likely that someone would trust the download enough to click on it.

Another way Keydnap gets around security is that it contains a Mach-O executable, which means your Mac won’t display the usual warning about the download. It quickly closes the Terminal window, creates a decoy document, and adds an entry to the LaunchAgents directory, which means it will survive a reboot. All of this happens so quickly that it’s possible a Mac user doesn’t even realize they’ve let a malicious virus in. It also replaces the owner of icloudsyncd to root:admin and makes the executable setuid and setgid to ensure that it will run as the root ID in the future.

Clearly, this is an unwelcome and dangerous malware virus that needs to be removed as quickly as possible.

How to remove Keydnap?

As security analysts have already noted, it can bypass security and embed itself in numerous places across your Mac to create a permanent backdoor for cybercriminals. Removing it without some assistance may prove difficult.

You would need to search through several /Library folders, including LaunchAgents, plus make sure that you’ve replaced Support/com.apple.iCloud.sync.daemon directory back to the default, before it was replaced by Keydnap. One reason this may prove difficult is we know Keydnap can survive a reboot, so unless you catch and remove every component, the virus could come back.

Can Keydnap be removed safely?

Yes, it can, with CleanMyMac X.

CleanMyMac X - Smart Scan

CleanMyMac X is a powerful Mac guardian, keeping your Mac safe from malware, ransomware, and adware. It is also an essential performance improvement tool, uncovering and clearing loads of junk from your Mac. When it comes to unwanted adware, here is how you use it to restore your Mac to order:

  1. Download CleanMyMac X here (for free!).
  2. Click on the Malware Removal tab.
  3. Click Scan to search for Keydnap.
  4. CleanMyMac X will show you’ve been infected with Keydnap or any other malware.
  5. Click Remove, and they will vanish for good.
Scan completed in malware removal module of CMMX

Removing Keydnap is essential to retain the level of security you have come to expect from your Mac. Also, if it turns out you have been infected with Keydnap, you should change every password in your keychain, and it might be worth changing your Mac login password and/or Apple ID for safety. Look into every account that might have been affected by this to check for any unusual activity or any other viruses that may have got in through the backdoor.

Did you enjoy this post?
Share it or subscribe to our newsletter
Igor Degtiarenko
Writer and blogger at MacPaw, curious just about everything.
May 02, 2019
Updated: March 03, 2023
Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.

Free Download

CleanMy® PC will not receive new features and regular updates.

What does it mean?

  • CleanMy® PC remains safe, stable, and fully functional on all PCs that meet the system requirements.
  • Windows 11 is the last operating system to be supported.
  • Only critical bugs in CleanMy® PC will be fixed in the future; no new features or improvements will be added.
Read the full information here. Download Anyway