​Mac malware inside BitTorrent app, signed with legit Apple developer ID

If you downloaded the legitimate BitTorrent client for Mac OS over the past few days, you may have installed a nasty backdoor, security experts have warned.

Earlier this year Apple was forced to take action over ransomware known as KeRanger that had been bundled into Transmission, a free and legitimate BitTorrent client for Macs.

The incident was alarming since the Transmission files were signed with a legitimate Apple developer’s certificate, which meant Apple’s GateKeeper security feature wouldn’t have flagged the files as malware. Apple responded by revoking the certificate shortly after it was alerted to the threat.

Now, cybercriminals have been caught using identical tactics to distribute another piece of malware identified by researchers at security firm ESET identify as Keydnap.

According to ESET, Keydnap attempts to steal the content of the keychain in OS X where credentials are stored, which could enable the malware to establish a permanent backdoor.

When ESET discovered the malware in July it wasn’t aware of the exact method it was used to infect Macs, however on Tuesday it discovered the backdoor malware was being distributed within Transmission v2.92.

The security company wasn’t certain when the tainted Transmission file first appeared on the site, however the file’s signing dates suggest it’s only been available for a day or two, around August 28 and August 29.

ESET has provided seven files or directories whose presence would indicate that a Mac has been compromised by the malware. Details of those files can be found here.

“If any of them exists, it means the malicious Transmission application was executed and that Keydnap is most likely running,” ESET noted.

Additionally, the attackers used a slightly different name for the malicious disk image than the legitimate one by adding a hyphen between the name of the app and the version number.

“The malicious disk image was named Transmission2.92.dmg while the legitimate one is Transmission-2.92.dmg,” ESET continued.

ESET said that the developers of Transmission have now removed the malicious file from the site. ESET has also notified Apple about the misused Apple developer certificate.

The code-signing key that was used to sign the malicious version of Transmission is a legitimate Apple certificate, however it was not Transmission’s certificate, which is listed as Digital Ignition LLC, but another developer’s certificate listed as Shaderkin Igor. Regardless, since the compromised certificate has been signed by Apple it will bypass Gatekeeper, ESET notes.

CSO Australia has sought comment from Apple and will update the story if it receives one.

ESET says the Keydnap malware has been updated since its discovery in July to include a standalone Tor client, which allows the malware to more efficiently connect to an encrypted address where it can connect to its command and control server.

The security firm also found some similarities between KeRanger ransomware and Keydnap, which share “astonishingly” similar code that is responsible for dropping and running the malicious payload.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber criminalsMac OSTransmission BitTorrentesetransomwareransomware attackscyber securitybittorrentAppleKeRanger Mac

More about AppleCSOESETIgnitionMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts