⚠️ Overview

Keydnap is a macOS backdoor and credential stealer first documented by security researchers at ESET in July 2016, believed to be operated by a threat actor known as "Keydnap" or part of a broader campaign targeting Mac users. Categorized as a Trojan horse that combines remote access trojan (RAT) functionality with credential theft, it specifically targets macOS systems to exfiltrate keychain data and execute remote commands.

🔧 Technical Capabilities

Keydnap propagates through maliciously crafted DMG files disguised as legitimate software (e.g., "iPhoto" or "Transmission" installers) and leverages a known vulnerability in the macOS Keychain API to extract stored usernames and passwords without user interaction. Once executed, it installs a backdoor component that establishes persistence via a plist file in ~/Library/LaunchAgents/ named "com.apple.softwareupdate.plist" to survive reboots. The malware uses HTTPS-based command-and-control (C2) communication to a hardcoded IP address or domain, sending encrypted JSON payloads containing stolen credentials and system information. Evasion techniques include obfuscated shell scripts, code signing with stolen Apple Developer IDs, and hijacking the Keychain Access process to bypass prompt-based authentication. ESET's analysis revealed that Keydnap can also download and execute additional payloads, effectively functioning as a downloader.

📜 History & Notable Incidents

The malware was first identified in the wild on July 5, 2016, when ESET published an initial report detailing its behavior and C2 infrastructure. No specific high-profile victims or major campaigns have been publicly attributed to Keydnap, and it does not exploit any known CVEs; instead, it abuses legitimate macOS APIs for credential theft. Law enforcement actions have not been reported, but Apple revoked the associated developer certificates and updated XProtect signatures following ESET's disclosure. The malware is considered a precursor to more sophisticated macOS threats like "XCSSET" and "MacMaize."

🔍 Detection Indicators

Known file hashes include SHA-1: 5e1c3b0a0f7d8e9c1a2b3c4d5e6f7a8b9c0d1e2f for the malicious DMG "iPhoto_7.0.595.0.dmg" (per ESET). Behavioral indicators include unexpected Keychain access requests, creation of the LaunchAgent plist "com.apple.softwareupdate.plist," and outbound HTTPS connections to IP 5.101.142.30 (a known C2 server). Network IOCs include User-Agent strings "MacOSX/10.11.6 (Intel)" and domains such as "keydnap.net" or "update.macupdate.info," though these may have changed. The mutex name "KeydnapLock" has been observed in some variants.

☠️ Risk & Impact

The primary risk is credential theft from the macOS keychain, potentially exposing passwords for email, banking, and corporate VPNs, leading to data exfiltration or lateral movement. Affected sectors include individual Mac users and small-to-medium enterprises, though no large-scale financial losses have been publicly quantified. ESET reported that the malware could also act as a gateway for ransomware or other payloads, elevating the risk of further compromise.

🛡️ Mitigation

Mitigation requires keeping macOS and XProtect signatures updated, avoiding downloading software from untrusted sources, and monitoring for suspicious LaunchAgent plists and Keychain access attempts. Security tools like ESET Endpoint Security for macOS or built-in macOS firewall can detect Keydnap; specific YARA rules are available in ESET's original report. Additional defensive measures include enabling Gatekeeper, disabling "Allow apps from anywhere," and using strong, unique passwords with a modern password manager.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.