OSX_KEYDNAP.J

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It steals certain information from the system and/or the user.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• OSX_DROPPER.A

Installation

This Backdoor adds the following processes:

• icloudproc
• License.rtf
• icloudsyncd
• /usr/libexec/icloudsyncd -launchd netlogon.bundle

Backdoor Routine

This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}citdpqa7tv.onion/api/osx

Dropping Routine

This Backdoor drops the following files:

• /Applications/Transmission.app/Contents/Resources/License.rtf
• /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
• $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
• $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
• $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
• /Library/Application Support/com.apple.iCloud.sync.daemon/
• $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist

Information Theft

This Backdoor steals the following information:

• Keychain credentials

Other Details

This Backdoor does the following:

• Uses local TOR as proxy
• Uses a legitimate code signing key for the malicious Transmission application bundle
• It has the following capabilities:
  • -download/upload files
  • -create processes
  • -update self
  • -steal user credentials